ports/69623: [NEW PORT] www/mod_dosevasive20: An Apache 2 module to try to protect HTTP DoS or DDoS attacks

Mon Jul 26 16:31:14 UTC 2004

>Number:         69623
>Category:       ports
>Synopsis:       [NEW PORT] www/mod_dosevasive20: An Apache 2 module to try to protect HTTP DoS or DDoS attacks
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jul 26 16:30:23 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Xavier Beaudouin
>Release:        FreeBSD 5.2.1-RELEASE-p8 i386
>Organization:
The Caudium Group / Association Kazar
>Environment:
System: FreeBSD plonk.home.oav.net 5.2.1-RELEASE-p8 FreeBSD 5.2.1-RELEASE-p8 #0: Sun May 30 22:14:12 CEST 2004
>Description:
mod_dosevasive is an evasive maneuvers module for Apache to provide evasive 
action in the event of an HTTP DoS or DDoS attack or brute force attack.
It is also designed to be a detection and network management tool, and can be
easily configured to talk to ipchains, firewalls, routers, and etcetera.
mod_dosevasive presently reports abuses via email and syslog facilities.

Detection is performed by creating an internal dynamic hash table of IP
Addresses and URIs, and denying any single IP address from any of the
following:

    * Requesting the same page more than a few times per second
    * Making more than 50 concurrent requests on the same child per second
    * Making any requests while temporarily blacklisted (on a blocking list) 

This method has worked well in both single-server script attacks as well as
distributed attacks, but just like other evasive tools, is only as useful to
the point of bandwidth and processor consumption (e.g. the amount of bandwidth
and processor required to receive/process/respond to invalid requests), which
is why it's a good idea to integrate this with your firewalls and routers for
maximum protection.

This module instantiates for each listener individually, and therefore has a
built-in cleanup mechanism and scaling capabilities. Because of this per-child
design, legitimate requests are never compromised (even from proxies and NAT
addresses) but only scripted attacks. Even a user repeatedly clicking on
'reload' should not be affected unless they do it maliciously. mod_dosevasive
is fully tweakable through the Apache configuration file, easy to incorporate
into your web server, and easy to use. 

WWW: http://www.nuclearelephant.com/projects/dosevasive/

Generated with FreeBSD Port Tools 0.50
>How-To-Repeat:
>Fix:

--- mod_dosevasive20-1.9.shar begins here ---
# This is a shell archive.  Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file".  Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
#	mod_dosevasive20
#	mod_dosevasive20/Makefile
#	mod_dosevasive20/distinfo
#	mod_dosevasive20/pkg-descr
#
echo c - mod_dosevasive20
mkdir -p mod_dosevasive20 > /dev/null 2>&1
echo x - mod_dosevasive20/Makefile
sed 's/^X//' >mod_dosevasive20/Makefile << 'END-of-mod_dosevasive20/Makefile'
X# New ports collection makefile for:	mod_dosevasive20
X# Date created:				26 Jul 2004
X# Whom:					Xavier Beaudouin <kiwi at oav.net>
X#
X# $FreeBSD$
X#
X
XPORTNAME=	mod_dosevasive20
XPORTVERSION=	1.9
XCATEGORIES=	www security
XMASTER_SITES=	http://www.nuclearelephant.com/projects/dosevasive/
XDISTNAME=	mod_dosevasive.${PORTVERSION}
XDIST_SUBDIR=	apache2
X
XMAINTAINER=	kiwi at oav.net
XCOMMENT=	An Apache 2 module to try to protect HTTP DoS or DDoS attacks
X
XWRKSRC=		${WRKDIR}/${PORTNAME}
X
XWANT_APACHE=	2
XAP_FAST_BUILD=	YES
XAP_GENPLIST=	YES
XWRKSRC=		${WRKDIR}/mod_dosevasive
X
XPORTDOCS=	LICENSE README test.pl
X
X.include <bsd.port.pre.mk>
X.include "${PORTSDIR}/www/apache2/Makefile.modules.3rd"
X
Xpost-install:
X.if !defined (NOPORTDOCS)
X	@${MKDIR} ${DOCSDIR}
X.   for f in ${PORTDOCS}
X	@${INSTALL_DATA} ${WRKSRC}/${f} ${DOCSDIR}
X.   endfor
X.endif
X
X.include <bsd.port.post.mk>
END-of-mod_dosevasive20/Makefile
echo x - mod_dosevasive20/distinfo
sed 's/^X//' >mod_dosevasive20/distinfo << 'END-of-mod_dosevasive20/distinfo'
XMD5 (apache2/mod_dosevasive.1.9.tar.gz) = 994333fa0ea901ae035919ce869332b0
XSIZE (apache2/mod_dosevasive.1.9.tar.gz) = 23850
END-of-mod_dosevasive20/distinfo
echo x - mod_dosevasive20/pkg-descr
sed 's/^X//' >mod_dosevasive20/pkg-descr << 'END-of-mod_dosevasive20/pkg-descr'
Xmod_dosevasive is an evasive maneuvers module for Apache to provide evasive 
Xaction in the event of an HTTP DoS or DDoS attack or brute force attack.
XIt is also designed to be a detection and network management tool, and can be
Xeasily configured to talk to ipchains, firewalls, routers, and etcetera.
Xmod_dosevasive presently reports abuses via email and syslog facilities.
X
XDetection is performed by creating an internal dynamic hash table of IP
XAddresses and URIs, and denying any single IP address from any of the
Xfollowing:
X
X    * Requesting the same page more than a few times per second
X    * Making more than 50 concurrent requests on the same child per second
X    * Making any requests while temporarily blacklisted (on a blocking list) 
X
XThis method has worked well in both single-server script attacks as well as
Xdistributed attacks, but just like other evasive tools, is only as useful to
Xthe point of bandwidth and processor consumption (e.g. the amount of bandwidth
Xand processor required to receive/process/respond to invalid requests), which
Xis why it's a good idea to integrate this with your firewalls and routers for
Xmaximum protection.
X
XThis module instantiates for each listener individually, and therefore has a
Xbuilt-in cleanup mechanism and scaling capabilities. Because of this per-child
Xdesign, legitimate requests are never compromised (even from proxies and NAT
Xaddresses) but only scripted attacks. Even a user repeatedly clicking on
X'reload' should not be affected unless they do it maliciously. mod_dosevasive
Xis fully tweakable through the Apache configuration file, easy to incorporate
Xinto your web server, and easy to use. 
X
XWWW: http://www.nuclearelephant.com/projects/dosevasive/
END-of-mod_dosevasive20/pkg-descr
exit
--- mod_dosevasive20-1.9.shar ends here ---

>Release-Note:
>Audit-Trail:
>Unformatted: