1

In the process of learning more about how to survive simple DoS attack for my Apache server, I found some script to initiate attack on my own server and I notice that Apache returns error code 403 after a few attempts (instead of returning 200).

I guess it is good that Apache does that but I do not understand why it does that. Is there any configuration that dictate this behavior? I actually want to turn off this behavior completely if I can.

Please help me understand it!

Thank you.

TopQ
  • 93
  • 5
  • Can I ask what script you're using? Because it could just be requesting password protected pages with Apache. (403=forbidden, right?) – U4iK_HaZe Sep 13 '11 at 21:10
  • @U4iK_HaZe I am using the script from http://www.esrun.co.uk/blog/keep-alive-dos-script/ and I am not hitting a password protected page. Thank you. – TopQ Sep 13 '11 at 21:24
  • I'm checking it out now. Will post results when finished. – U4iK_HaZe Sep 13 '11 at 21:25
  • Go here: http://paste.u4ik.us/2133 and see my logs and the page you're supposed to get. Did you see all of the stuff I posted on that site? – U4iK_HaZe Sep 13 '11 at 21:44
  • Hi, Yes I see the Keep-Dead splash screen as well but it didn't crash my server... In my Apache log I can see the requests but they are are all 403 instead of 200. – TopQ Sep 13 '11 at 22:07
  • Would you mind posting your httpd.conf file? (I mean, if it's not sensitive). If it's too large for this box you can use paste.u4ik.us and set an expiration on it if you wish. – U4iK_HaZe Sep 13 '11 at 22:24

1 Answers1

1

It's not so much a DoS prevention mechanism as it is a DoS symptom. In this case, you're probably hitting Apache's configured MaxClients setting, all requests that surpass this limit get a 403 response. Check your error log to confirm.

You can't really turn this behavior off, but you could adjust the MaxClients and associated MPM settings to be so high as to make sure that your server will crumple under the load before it serves a 403.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • Error log shows "[Tue Sep 13 14:27:26 2011] [error] [client xxx.xx.xx.xx] client denied by server configuration: /xxxx/xxx/xxxx, referer: www.xxxxxx.com" – TopQ Sep 13 '11 at 21:28
  • @TopQ Then that's a different matter completely - that means that it's hitting a `Deny from` block in your Apache config. – Shane Madden Sep 13 '11 at 21:34
  • I thought so, too...but the first few attempts go through just fine...if Deny from was effective it should not have allowed any to go through right? Thank you. – TopQ Sep 13 '11 at 21:57
  • @TopQ Right - unless something changed about the config (in an htaccess file), then it's not going to respond to the same request in two different ways. But is it the same exact request? Can you confirm with your access logs? – Shane Madden Sep 13 '11 at 22:16