| Author |
|
NewEraCracker
Joined: 23 Aug 2010
Posts: 36
|
 Posted: Fri 09 Sep '11 18:04 Post subject: mod_antiloris.c improved (v0.5.2) for Apache 2.2 and 2.4 |
 |
|
Information:
| Code: |
========================================
mod_antiloris for Apache httpd 2.2 / 2.4
========================================
Modified by NewEraCracker - 2012/04/28
Thanks fly to apachelounge.com and apachehaus.com for their work
Intro:
======
There are some new DoS vectors for apache apart from the original slowloris
attack.
The improved mod_antiloris adds support for SERVER_BUSY_WRITE and other states
in order to mitigate DoS attacks better.
The version number is bumped to 0.5, semantics of the error message are changed
a bit and build issues with Visual Studio (for windows apache) are fixed.
Changes:
========
0.5.0
Added SERVER_BUSY_WRITE, SERVER_BUSY_KEEPALIVE, SERVER_BUSY_DNS,
SERVER_BUSY_LOG, SERVER_CLOSING, SERVER_GRACEFUL state checking
0.5.1
Added compatibility with apache 2.4
0.5.2
Improved compatibility with apache 2.4
Increased default max connections to 20
Removed SERVER_CLOSING, SERVER_GRACEFUL state checking
Source code:
============
mod_antiloris-0.4-tar.bz2..: Original mod_antiloris 0.4 source package
mod_antiloris.c............: Improved mod_antiloris (version 0.5.2)
Version 0.5.2 mod_antiloris.so binaries:
========================================
x86_2.2_vc6...: For Apache 2.2.x win32 VC6 apache.org binaries
x86_2.2_vc9...: For Apache 2.2.x win32 VC9 apachelounge.com binaries
x86_2.2_vc10..: For Apache 2.2.x win32 VC10 apachelounge.com binaries
x86_2.4_vc9...: For Apache 2.4.x win32 VC9 apachelounge.com binaries
x86_2.4_vc10..: For Apache 2.4.x win32 VC10 apachelounge.com binaries
x64_2.2_vc9...: For Apache 2.2.x win64 VC9 apachehaus.com binaries
x64_2.2_vc10..: For Apache 2.2.x win64 VC10 apachelounge.com binaries
x64_2.4_vc9...: For Apache 2.4.x win64 VC9 apachehaus.com binaries
x64_2.4_vc10..: For Apache 2.4.x win64 VC10 apachelounge.com binaries
Installation:
=============
1. Copy the correct build of mod_antiloris.so to apache modules directory
2. Add the following to httpd.conf to load the module
LoadModule antiloris_module modules/mod_antiloris.so
3. Restart Apache httpd
Configuration:
==============
You can change the default 20 connections per IP.
Just add this to your httpd.conf :
<IfModule antiloris_module>
IPReadLimit 50
</IfModule>
The above would increase the limit to 50
Credits:
========
Author: Kees Monshouwer
|
Download links:
| Code: |
http://www.mediafire.com/download.php?zqpkkkq37iu8px6
http://www.mirrorcreator.com/files/0AWAE3VE/
http://www.mirrorcreator.com/files/AVLGWZK2/
|
Hashes:
| Code: |
Filename: mod_antiloris_v0.5.2_28.04.2012_for_apache_2.2_2.4.7z
MD5: 38406982931417d64ac4481d39a34d21
SHA-1: ed5803c2190cca8bcbe36c1985a1363a98e42245
|
Last edited by NewEraCracker on Sat 28 Apr '12 18:27; edited 7 times in total |
|
| Back to top |
|
bagu
Joined: 06 Jan 2011
Posts: 193
Location: France
|
| Posted: Fri 09 Sep '11 18:48 Post subject: |
|
|
Hello,
I use apache vc9 version from apachelougne so...
Is it normal that i must use vc6 version ?
Vc9 version make apache unable to start with a sidebyside error in windows xp event viewer. |
|
| Back to top |
|
NewEraCracker
Joined: 23 Aug 2010
Posts: 36
|
| Posted: Sat 10 Sep '11 0:30 Post subject: |
|
|
Hello,
I've tested the build of this module in my computer with Apache Vc6 (from apache.org) and Apache Vc9 (from http://www.apachelounge.com/download/ ) in Windows 7 and it worked.
Given your report, I have tested the vc9 build in Windows XP and there was an issue that has been fixed in the new package.
mod_antiloris.so vc9 build is now just 8kb.
I believe I didn't used the correct VC9 settings. (DLL doesn't need subsystem in linker. I gotta remember that) 
Thanks for the heads up  |
|
| Back to top |
|
maskego
Joined: 16 Apr 2010
Posts: 238
|
| Posted: Sat 10 Sep '11 11:51 Post subject: |
|
|
Does this version can be used at apache 2.2.20 VC9 now?Does it have correct VC9 settings now?
Can apachelounge or apachehaus provide the download linking? |
|
| Back to top |
|
bagu
Joined: 06 Jan 2011
Posts: 193
Location: France
|
| Posted: Sat 10 Sep '11 11:58 Post subject: |
|
|
Hello,
Do you update links on the first post ?
Thanks  |
|
| Back to top |
|
admin
Site Admin
Joined: 15 Oct 2005
Posts: 692
|
| Posted: Sat 10 Sep '11 12:04 Post subject: |
|
|
@bagu,
For VC9 apachelounge binary, do not forget to install the the Visual C++ 2008 Redistributable Package, see the Readme.txt in the zip.
A sidebyside error is what you get when not installed.
Steffen |
|
| Back to top |
|
maskego
Joined: 16 Apr 2010
Posts: 238
|
| Posted: Sat 10 Sep '11 12:07 Post subject: |
|
|
Does there anyone have tested the new version for apache 2.2.20 from apachelounge?
Does it work fine than mod_antiloris-0.4?  :Where can I get the clangelog? |
|
| Back to top |
|
bagu
Joined: 06 Jan 2011
Posts: 193
Location: France
|
| Posted: Sat 10 Sep '11 12:32 Post subject: |
|
|
| admin wrote: | @bagu,
For VC9 apachelounge binary, do not forget to install the the Visual C++ 2008 Redistributable Package, see the Readme.txt in the zip.
A sidebyside error is what you get when not installed.
Steffen |
Already done...a long time ago
I re-download antiloris package and it seem it work fine now
Is there any way to have exception fori IPReadLimit directive ?
Something like 10 for everyone and 20 for 192.168.1.20 ?
Thanks |
|
| Back to top |
|
NewEraCracker
Joined: 23 Aug 2010
Posts: 36
|
| Posted: Sat 10 Sep '11 14:16 Post subject: |
|
|
| maskego wrote: | | Does this version can be used at apache 2.2.20 VC9 now?Does it have correct VC9 settings now? |
Yes. I tested it in windows xp
| bagu wrote: | Hello,
Do you update links on the first post ?
Thanks |
The link in the first post has been updated already
| maskego wrote: | | Does it work fine than mod_antiloris-0.4? :Where can I get the clangelog? |
My version contains fixes to protect against DoS attacks which use http POST protocol and Keep-Alive
| bagu wrote: |
Is there any way to have exception fori IPReadLimit directive ?
Something like 10 for everyone and 20 for 192.168.1.20 ?
Thanks |
Unfortunately there are no exceptions.
10 is a good limit. If you face issues increase to 20. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Sun 11 Sep '11 0:11 Post subject: |
|
|
| Your editor sadly changed the line endings and the tabbing. So the diff it not so easy to read. Can you please create that diff file so I can view the cahnges you made? |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Sun 11 Sep '11 0:26 Post subject: |
|
|
by quick look, as far as I can tell is some indentation fixes and cases were added
case SERVER_BUSY_WRITE:
case SERVER_BUSY_KEEPALIVE:
case SERVER_BUSY_DNS:
case SERVER_BUSY_LOG:
case SERVER_CLOSING:
case SERVER_GRACEFUL:
I wonder, how can the server be DOSed on write? Well, ok, I can think of a way but it will timeout eventually. Also, SERVER_CLOSING is closing the connection iirc and therefore will be freeing up the connection .... no? |
|
| Back to top |
|
maskego
Joined: 16 Apr 2010
Posts: 238
|
| Posted: Sun 11 Sep '11 0:47 Post subject: |
|
|
gl:
So,the new ver of mod_antiloris is not efficiently fix issues than mod_antiloris0.4?
Maybe not to upgrade the new version first.
Can you please compile the new version of mod_antiloris to fix the issues that pre-version can't make it? |
|
| Back to top |
|
NewEraCracker
Joined: 23 Aug 2010
Posts: 36
|
| Posted: Sun 11 Sep '11 14:28 Post subject: |
|
|
| James Blond wrote: | | Your editor sadly changed the line endings and the tabbing. So the diff it not so easy to read. Can you please create that diff file so I can view the cahnges you made? |
I believe the line endings are still the default ones \n. About the tabs, it was inconsistent in original, randomly using 4 spaces and tabs at same time.
| glsmith wrote: | by quick look, as far as I can tell is some indentation fixes and cases were added
case SERVER_BUSY_WRITE:
case SERVER_BUSY_KEEPALIVE:
case SERVER_BUSY_DNS:
case SERVER_BUSY_LOG:
case SERVER_CLOSING:
case SERVER_GRACEFUL:
I wonder, how can the server be DOSed on write? Well, ok, I can think of a way but it will timeout eventually. Also, SERVER_CLOSING is closing the connection iirc and therefore will be freeing up the connection .... no? |
I had that status codes from limitipconn module.
From my experience, I've seen servers being DoSed on write using SlowPOST DoS attacks and in keep-alive state by sending hundreds of HEAD requests against php files.
| maskego wrote: | gl:
So,the new ver of mod_antiloris is not efficiently fix issues than mod_antiloris0.4? |
This versions fixes the issues I exposed the 1st post
| maskego wrote: | Maybe not to upgrade the new version first.
Can you please compile the new version of mod_antiloris to fix the issues that pre-version can't make it? |
The links in the 1st post are the new ones, for VC9, mod_antiloris.so is 8kb and loads ok in apachelounge build in windows 7 and windows xp.
-------------
Here is a diff --ignore-all-space -uN
| Code: |
--- mod_antiloris.c Tue Jul 28 14:27:42 2009
+++ mod_antiloris.c Fri Sep 9 13:22:40 2011
@@ -1,5 +1,5 @@
/*
- mod_antiloris 0.2
+ mod_antiloris 0.5
Copyright (C) 2008 Monshouwer Internet Diensten
Author: Kees Monshouwer
@@ -26,7 +26,7 @@
#include "scoreboard.h"
#define MODULE_NAME "mod_antiloris"
-#define MODULE_VERSION "0.4"
+#define MODULE_VERSION "0.5"
module AP_MODULE_DECLARE_DATA antiloris_module;
@@ -58,6 +58,8 @@
/* Parse the IPReadLimit directive */
static const char *ipreadlimit_config_cmd(cmd_parms *parms, void *mconfig, const char *arg)
{
+ signed long int limit;
+
antiloris_config *conf = ap_get_module_config(parms->server->module_config, &antiloris_module);
const char *err = ap_check_cmd_context (parms, GLOBAL_ONLY);
@@ -65,7 +67,7 @@
return err;
}
- signed long int limit = strtol(arg, (char **) NULL, 10);
+ limit = strtol(arg, (char **) NULL, 10);
/* No reasonable person would want more than 2^16. Better would be
to use LONG_MAX but that causes portability problems on win32 */
@@ -80,7 +82,7 @@
/* Array describing structure of configuration directives */
static command_rec antiloris_cmds[] = {
- AP_INIT_TAKE1("IPReadLimit", ipreadlimit_config_cmd, NULL, RSRC_CONF, "Maximum simultaneous connections in READ state per IP address"),
+ AP_INIT_TAKE1("IPReadLimit", ipreadlimit_config_cmd, NULL, RSRC_CONF, "Maximum simultaneous connections per IP address"),
{NULL}
};
@@ -109,6 +111,8 @@
static int pre_connection(conn_rec *c)
{
+ char *client_ip;
+
antiloris_config *conf = ap_get_module_config (c->base_server->module_config, &antiloris_module);
sb_handle *sbh = c->sbh;
@@ -125,7 +129,7 @@
ws_record = &ap_scoreboard_image->servers[sbh->child_num][sbh->thread_num];
apr_cpystrn(ws_record->client, c->remote_ip, sizeof(ws_record->client));
- char *client_ip = ws_record->client;
+ client_ip = ws_record->client;
/* Count up the number of connections we are handling right now from this IP address */
for (i = 0; i < server_limit; ++i) {
@@ -133,6 +137,12 @@
ws_record = ap_get_scoreboard_worker(i, j);
switch (ws_record->status) {
case SERVER_BUSY_READ:
+ case SERVER_BUSY_WRITE:
+ case SERVER_BUSY_KEEPALIVE:
+ case SERVER_BUSY_DNS:
+ case SERVER_BUSY_LOG:
+ case SERVER_CLOSING:
+ case SERVER_GRACEFUL:
if (strcmp(client_ip, ws_record->client) == 0)
ip_count++;
break;
@@ -143,7 +153,7 @@
}
if (ip_count > conf->limit) {
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, "Rejected, too many connections in READ state from %s", c->remote_ip);
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, "[client %s] Antiloris rejected, too many connections", c->remote_ip);
return OK;
} else {
return DECLINED;
|
|
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Mon 12 Sep '11 0:33 Post subject: |
|
|
I have not had those problems, but I am using mod_antiloris 0.4 in conjunction with mod_reqtimeout which is treating me well, but I do not have a very heavily visited server either. I see nothing wrong with these additions, I have not given it a try either. I was just more mentioning what changes I saw and had a question about the one.
cheers |
|
| Back to top |
|
NewEraCracker
Joined: 23 Aug 2010
Posts: 36
|
| Posted: Tue 20 Sep '11 14:15 Post subject: |
|
|
| This module also works in apache 2.2.21 |
|
| Back to top |
|
puertoblack2003
Joined: 31 Jul 2009
Posts: 121
Location: U.S
|
| Posted: Sat 24 Sep '11 6:36 Post subject: |
|
|
| NewEraCracker wrote: | | This module also works in apache 2.2.21 |
can you compile a 64 bit version.I normally get them from here.http://www.apachehaus.com/cgi-bin/download.plx
thnanks |
|
| Back to top |
|
NewEraCracker
Joined: 23 Aug 2010
Posts: 36
|
| Posted: Sat 24 Sep '11 16:11 Post subject: |
|
|
| puertoblack2003 wrote: | | NewEraCracker wrote: | | This module also works in apache 2.2.21 |
can you compile a 64 bit version.I normally get them from here.http://www.apachehaus.com/cgi-bin/download.plx
thnanks |
I know apachehaus has x64 apache I could use their libs to build modules from source, unfortunately I don't have any x64 box at the moment neither Visual Studio 2008 in another location except my computer. |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
|
| Back to top |
|
puertoblack2003
Joined: 31 Jul 2009
Posts: 121
Location: U.S
|
| Posted: Sun 25 Sep '11 17:17 Post subject: |
|
|
| thank you guys... awesome job. |
|
| Back to top |
|
flexy123
Joined: 06 Mar 2012
Posts: 1
|
| Posted: Wed 07 Mar '12 16:36 Post subject: |
|
|
Hi guys, i have a question about this mod.
I downloaded and installed this on my hybrid server since i recently get hit either by slow loris attacks or bad bots from China. I also installed the mod_reqtimeout.
There are several problems and i wonder how you guys go about this:
When i set MAX_PER_IP to 20, 40 even....this is still not enough since in my apache error log i still plenty of connections rejected by antiloris.
This wouldn't be really a problem...but the way how it's handled is like that those connections are simply rejected resulting that things are not getting loaded in the browser anymore.
Say, i have a page with 30 pictures...and the max_per_ip setting in antiloris would be 20.....means that 10 pictures are simply not getting loaded. (Or whatever other elements of a page).
I see this is really a problem because this basically means i can never be sure whether a site visitor gets actually all content of a page due to this limitation. Would there be a workaround somehow to still limit connections per IP but making sure that all content eventually also gets loaded?
(A hypothetical solution would be that the denied requests are not just simply rejected..but somehow queued and then opened at a later time if the # of connections is down again???)
**
The other related question is about this mod together with cloudflare.
I am now using mod_cloudflare to display the *real* IP of visitors...but just wondering whether this is enough or whether there might be other problems with cloudflare and mod_antiloris?
ty !
by the way using Apache 2.2.22, prefork MPM |
|
| Back to top |
|
