logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Third-party Modules View previous topic :: View next topic
Reply to topic   Topic: mod_antiloris.c improved (v0.5.2) for Apache 2.2 and 2.4 Page 1, 2  Next
Author
NewEraCracker



Joined: 23 Aug 2010
Posts: 36

PostPosted: Fri 09 Sep '11 18:04    Post subject: mod_antiloris.c improved (v0.5.2) for Apache 2.2 and 2.4 Reply with quote

Information:
Code:

========================================
mod_antiloris for Apache httpd 2.2 / 2.4
========================================

Modified by NewEraCracker - 2012/04/28
Thanks fly to apachelounge.com and apachehaus.com for their work

Intro:
======

There are some new DoS vectors for apache apart from the original slowloris
attack.

The improved mod_antiloris adds support for SERVER_BUSY_WRITE and other states
in order to mitigate DoS attacks better.

The version number is bumped to 0.5, semantics of the error message are changed
a bit and build issues with Visual Studio (for windows apache) are fixed.


Changes:
========

0.5.0
Added SERVER_BUSY_WRITE, SERVER_BUSY_KEEPALIVE, SERVER_BUSY_DNS,
SERVER_BUSY_LOG, SERVER_CLOSING, SERVER_GRACEFUL state checking

0.5.1
Added compatibility with apache 2.4

0.5.2
Improved compatibility with apache 2.4
Increased default max connections to 20
Removed SERVER_CLOSING, SERVER_GRACEFUL state checking


Source code:
============

mod_antiloris-0.4-tar.bz2..: Original mod_antiloris 0.4 source package
mod_antiloris.c............: Improved mod_antiloris (version 0.5.2)


Version 0.5.2 mod_antiloris.so binaries:
========================================

x86_2.2_vc6...: For Apache 2.2.x win32 VC6  apache.org binaries
x86_2.2_vc9...: For Apache 2.2.x win32 VC9  apachelounge.com binaries
x86_2.2_vc10..: For Apache 2.2.x win32 VC10 apachelounge.com binaries
x86_2.4_vc9...: For Apache 2.4.x win32 VC9  apachelounge.com binaries
x86_2.4_vc10..: For Apache 2.4.x win32 VC10 apachelounge.com binaries

x64_2.2_vc9...: For Apache 2.2.x win64 VC9  apachehaus.com binaries
x64_2.2_vc10..: For Apache 2.2.x win64 VC10 apachelounge.com binaries
x64_2.4_vc9...: For Apache 2.4.x win64 VC9  apachehaus.com binaries
x64_2.4_vc10..: For Apache 2.4.x win64 VC10 apachelounge.com binaries


Installation:
=============

1. Copy the correct build of mod_antiloris.so to apache modules directory

2. Add the following to httpd.conf to load the module
   LoadModule antiloris_module modules/mod_antiloris.so

3. Restart Apache httpd


Configuration:
==============

You can change the default 20 connections per IP.
Just add this to your httpd.conf :

<IfModule antiloris_module>
    IPReadLimit 50
</IfModule>

The above would increase the limit to 50


Credits:
========

Author: Kees Monshouwer


Download links:
Code:

http://www.mediafire.com/download.php?zqpkkkq37iu8px6
http://www.mirrorcreator.com/files/0AWAE3VE/
http://www.mirrorcreator.com/files/AVLGWZK2/


Hashes:
Code:

Filename: mod_antiloris_v0.5.2_28.04.2012_for_apache_2.2_2.4.7z
MD5: 38406982931417d64ac4481d39a34d21
SHA-1: ed5803c2190cca8bcbe36c1985a1363a98e42245


Last edited by NewEraCracker on Sat 28 Apr '12 18:27; edited 7 times in total
Back to top
bagu



Joined: 06 Jan 2011
Posts: 193
Location: France

PostPosted: Fri 09 Sep '11 18:48    Post subject: Reply with quote

Hello,

I use apache vc9 version from apachelougne so...
Is it normal that i must use vc6 version ?

Vc9 version make apache unable to start with a sidebyside error in windows xp event viewer.
Back to top
NewEraCracker



Joined: 23 Aug 2010
Posts: 36

PostPosted: Sat 10 Sep '11 0:30    Post subject: Reply with quote

Hello,

I've tested the build of this module in my computer with Apache Vc6 (from apache.org) and Apache Vc9 (from http://www.apachelounge.com/download/ ) in Windows 7 and it worked.
Given your report, I have tested the vc9 build in Windows XP and there was an issue that has been fixed in the new package.

mod_antiloris.so vc9 build is now just 8kb.
I believe I didn't used the correct VC9 settings. (DLL doesn't need subsystem in linker. I gotta remember that) Laughing

Thanks for the heads up Smile
Back to top
maskego



Joined: 16 Apr 2010
Posts: 238

PostPosted: Sat 10 Sep '11 11:51    Post subject: Reply with quote

Does this version can be used at apache 2.2.20 VC9 now?Does it have correct VC9 settings now?Very Happy

Can apachelounge or apachehaus provide the download linking?
Back to top
bagu



Joined: 06 Jan 2011
Posts: 193
Location: France

PostPosted: Sat 10 Sep '11 11:58    Post subject: Reply with quote

Hello,

Do you update links on the first post ?
Thanks Wink
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 692

PostPosted: Sat 10 Sep '11 12:04    Post subject: Reply with quote

@bagu,


For VC9 apachelounge binary, do not forget to install the the Visual C++ 2008 Redistributable Package, see the Readme.txt in the zip.

A sidebyside error is what you get when not installed.

Steffen
Back to top
maskego



Joined: 16 Apr 2010
Posts: 238

PostPosted: Sat 10 Sep '11 12:07    Post subject: Reply with quote

Does there anyone have tested the new version for apache 2.2.20 from apachelounge?

Does it work fine than mod_antiloris-0.4? Confused:Where can I get the clangelog?
Back to top
bagu



Joined: 06 Jan 2011
Posts: 193
Location: France

PostPosted: Sat 10 Sep '11 12:32    Post subject: Reply with quote

admin wrote:
@bagu,


For VC9 apachelounge binary, do not forget to install the the Visual C++ 2008 Redistributable Package, see the Readme.txt in the zip.

A sidebyside error is what you get when not installed.

Steffen


Already done...a long time ago Wink

I re-download antiloris package and it seem it work fine now

Is there any way to have exception fori IPReadLimit directive ?

Something like 10 for everyone and 20 for 192.168.1.20 ?

Thanks
Back to top
NewEraCracker



Joined: 23 Aug 2010
Posts: 36

PostPosted: Sat 10 Sep '11 14:16    Post subject: Reply with quote

maskego wrote:
Does this version can be used at apache 2.2.20 VC9 now?Does it have correct VC9 settings now?Very Happy


Yes. I tested it in windows xp Smile

bagu wrote:
Hello,

Do you update links on the first post ?
Thanks Wink


The link in the first post has been updated already Smile

maskego wrote:
Does it work fine than mod_antiloris-0.4? Confused:Where can I get the clangelog?


My version contains fixes to protect against DoS attacks which use http POST protocol and Keep-Alive

bagu wrote:

Is there any way to have exception fori IPReadLimit directive ?

Something like 10 for everyone and 20 for 192.168.1.20 ?

Thanks


Unfortunately there are no exceptions.

10 is a good limit. If you face issues increase to 20.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Sun 11 Sep '11 0:11    Post subject: Reply with quote

Your editor sadly changed the line endings and the tabbing. So the diff it not so easy to read. Can you please create that diff file so I can view the cahnges you made?
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Sun 11 Sep '11 0:26    Post subject: Reply with quote

by quick look, as far as I can tell is some indentation fixes and cases were added

case SERVER_BUSY_WRITE:
case SERVER_BUSY_KEEPALIVE:
case SERVER_BUSY_DNS:
case SERVER_BUSY_LOG:
case SERVER_CLOSING:
case SERVER_GRACEFUL:

I wonder, how can the server be DOSed on write? Well, ok, I can think of a way but it will timeout eventually. Also, SERVER_CLOSING is closing the connection iirc and therefore will be freeing up the connection .... no?
Back to top
maskego



Joined: 16 Apr 2010
Posts: 238

PostPosted: Sun 11 Sep '11 0:47    Post subject: Reply with quote

gl:

So,the new ver of mod_antiloris is not efficiently fix issues than mod_antiloris0.4?

Maybe not to upgrade the new version first.Question

Can you please compile the new version of mod_antiloris to fix the issues that pre-version can't make it?Laughing
Back to top
NewEraCracker



Joined: 23 Aug 2010
Posts: 36

PostPosted: Sun 11 Sep '11 14:28    Post subject: Reply with quote

James Blond wrote:
Your editor sadly changed the line endings and the tabbing. So the diff it not so easy to read. Can you please create that diff file so I can view the cahnges you made?


I believe the line endings are still the default ones \n. About the tabs, it was inconsistent in original, randomly using 4 spaces and tabs at same time.

glsmith wrote:
by quick look, as far as I can tell is some indentation fixes and cases were added

case SERVER_BUSY_WRITE:
case SERVER_BUSY_KEEPALIVE:
case SERVER_BUSY_DNS:
case SERVER_BUSY_LOG:
case SERVER_CLOSING:
case SERVER_GRACEFUL:

I wonder, how can the server be DOSed on write? Well, ok, I can think of a way but it will timeout eventually. Also, SERVER_CLOSING is closing the connection iirc and therefore will be freeing up the connection .... no?


I had that status codes from limitipconn module.

From my experience, I've seen servers being DoSed on write using SlowPOST DoS attacks and in keep-alive state by sending hundreds of HEAD requests against php files.

maskego wrote:
gl:

So,the new ver of mod_antiloris is not efficiently fix issues than mod_antiloris0.4?


This versions fixes the issues I exposed the 1st post


maskego wrote:
Maybe not to upgrade the new version first.Question

Can you please compile the new version of mod_antiloris to fix the issues that pre-version can't make it? Laughing


The links in the 1st post are the new ones, for VC9, mod_antiloris.so is 8kb and loads ok in apachelounge build in windows 7 and windows xp.

-------------

Here is a diff --ignore-all-space -uN
Code:

--- mod_antiloris.c   Tue Jul 28 14:27:42 2009
+++ mod_antiloris.c   Fri Sep  9 13:22:40 2011
@@ -1,5 +1,5 @@
 /*
-   mod_antiloris 0.2
+   mod_antiloris 0.5
    Copyright (C) 2008 Monshouwer Internet Diensten
 
    Author: Kees Monshouwer
@@ -26,7 +26,7 @@
 #include "scoreboard.h"
 
 #define MODULE_NAME "mod_antiloris"
-#define MODULE_VERSION "0.4"
+#define MODULE_VERSION "0.5"
 
 module AP_MODULE_DECLARE_DATA antiloris_module;
 
@@ -58,6 +58,8 @@
 /* Parse the IPReadLimit directive */
 static const char *ipreadlimit_config_cmd(cmd_parms *parms, void *mconfig, const char *arg)
 {
+   signed long int limit;
+
     antiloris_config *conf = ap_get_module_config(parms->server->module_config, &antiloris_module);
     const char *err = ap_check_cmd_context (parms, GLOBAL_ONLY);
     
@@ -65,7 +67,7 @@
    return err;
     }
     
-    signed long int limit = strtol(arg, (char **) NULL, 10);
+   limit = strtol(arg, (char **) NULL, 10);
 
     /* No reasonable person would want more than 2^16. Better would be
        to use LONG_MAX but that causes portability problems on win32 */
@@ -80,7 +82,7 @@
 
 /* Array describing structure of configuration directives */
 static command_rec antiloris_cmds[] = {
-    AP_INIT_TAKE1("IPReadLimit", ipreadlimit_config_cmd, NULL, RSRC_CONF, "Maximum simultaneous connections in READ state per IP address"),
+   AP_INIT_TAKE1("IPReadLimit", ipreadlimit_config_cmd, NULL, RSRC_CONF, "Maximum simultaneous connections per IP address"),
     {NULL}
 };
 
@@ -109,6 +111,8 @@
 
 static int pre_connection(conn_rec *c)
 {
+   char *client_ip;
+
     antiloris_config *conf = ap_get_module_config (c->base_server->module_config,  &antiloris_module);
     sb_handle *sbh = c->sbh;
     
@@ -125,7 +129,7 @@
     ws_record = &ap_scoreboard_image->servers[sbh->child_num][sbh->thread_num];
     apr_cpystrn(ws_record->client, c->remote_ip, sizeof(ws_record->client));
     
-    char *client_ip = ws_record->client;
+   client_ip = ws_record->client;
     
     /* Count up the number of connections we are handling right now from this IP address */
     for (i = 0; i < server_limit; ++i) {
@@ -133,6 +137,12 @@
            ws_record = ap_get_scoreboard_worker(i, j);
             switch (ws_record->status) {
            case SERVER_BUSY_READ:
+            case SERVER_BUSY_WRITE:
+            case SERVER_BUSY_KEEPALIVE:
+            case SERVER_BUSY_DNS:
+            case SERVER_BUSY_LOG:
+            case SERVER_CLOSING:
+            case SERVER_GRACEFUL:
                    if (strcmp(client_ip, ws_record->client) == 0)
                   ip_count++;
                     break;
@@ -143,7 +153,7 @@
     }
     
     if (ip_count > conf->limit) {
-   ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, "Rejected, too many connections in READ state from %s", c->remote_ip);
+      ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, "[client %s] Antiloris rejected, too many connections", c->remote_ip);
    return OK;
     } else {
    return DECLINED;
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Mon 12 Sep '11 0:33    Post subject: Reply with quote

I have not had those problems, but I am using mod_antiloris 0.4 in conjunction with mod_reqtimeout which is treating me well, but I do not have a very heavily visited server either. I see nothing wrong with these additions, I have not given it a try either. I was just more mentioning what changes I saw and had a question about the one.

cheers Very Happy
Back to top
NewEraCracker



Joined: 23 Aug 2010
Posts: 36

PostPosted: Tue 20 Sep '11 14:15    Post subject: Reply with quote

This module also works in apache 2.2.21 Smile
Back to top
puertoblack2003



Joined: 31 Jul 2009
Posts: 121
Location: U.S

PostPosted: Sat 24 Sep '11 6:36    Post subject: Reply with quote

NewEraCracker wrote:
This module also works in apache 2.2.21 Smile


can you compile a 64 bit version.I normally get them from here.http://www.apachehaus.com/cgi-bin/download.plx

thnanks
Back to top
NewEraCracker



Joined: 23 Aug 2010
Posts: 36

PostPosted: Sat 24 Sep '11 16:11    Post subject: Reply with quote

puertoblack2003 wrote:
NewEraCracker wrote:
This module also works in apache 2.2.21 Smile


can you compile a 64 bit version.I normally get them from here.http://www.apachehaus.com/cgi-bin/download.plx

thnanks

I know apachehaus has x64 apache I could use their libs to build modules from source, unfortunately I don't have any x64 box at the moment neither Visual Studio 2008 in another location except my computer.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Sun 25 Sep '11 1:45    Post subject: Reply with quote

I can:

https://www.apachehaus.net/modules/


Last edited by glsmith on Tue 24 Apr '12 23:59; edited 1 time in total
Back to top
puertoblack2003



Joined: 31 Jul 2009
Posts: 121
Location: U.S

PostPosted: Sun 25 Sep '11 17:17    Post subject: Reply with quote

thank you guys... awesome job.
Back to top
flexy123



Joined: 06 Mar 2012
Posts: 1

PostPosted: Wed 07 Mar '12 16:36    Post subject: Reply with quote

Hi guys, i have a question about this mod.

I downloaded and installed this on my hybrid server since i recently get hit either by slow loris attacks or bad bots from China. I also installed the mod_reqtimeout.

There are several problems and i wonder how you guys go about this:

When i set MAX_PER_IP to 20, 40 even....this is still not enough since in my apache error log i still plenty of connections rejected by antiloris.

This wouldn't be really a problem...but the way how it's handled is like that those connections are simply rejected resulting that things are not getting loaded in the browser anymore.

Say, i have a page with 30 pictures...and the max_per_ip setting in antiloris would be 20.....means that 10 pictures are simply not getting loaded. (Or whatever other elements of a page).

I see this is really a problem because this basically means i can never be sure whether a site visitor gets actually all content of a page due to this limitation. Would there be a workaround somehow to still limit connections per IP but making sure that all content eventually also gets loaded?

(A hypothetical solution would be that the denied requests are not just simply rejected..but somehow queued and then opened at a later time if the # of connections is down again???)

**

The other related question is about this mod together with cloudflare.

I am now using mod_cloudflare to display the *real* IP of visitors...but just wondering whether this is enough or whether there might be other problems with cloudflare and mod_antiloris?

ty !

by the way using Apache 2.2.22, prefork MPM
Back to top


Reply to topic   Topic: mod_antiloris.c improved (v0.5.2) for Apache 2.2 and 2.4 View previous topic :: View next topic
Post new topic   Forum Index -> Third-party Modules Page 1, 2  Next