I have IPFILTER installed on my FreeBSD 8.0 server. The docs for this firewall software are here: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html
I'm trying to mitigate the possibility of a Slowloris HTTP DoS attack, where a single attacker opens a bunch of TCP connections to port 80 of my server, and lets these connections sit idle or close to idle. The Apache server reaches its MaxClients number and no additional connections can be made, denying normal users access to the website.
I want to try to limit the number of concurrent TCP connections from any given [fixed] IP address to port 80 of my server to 10 or so. I'm trying to do this with IPFILTER. So far I have found some HP-UX-specific information on how I might be able to do this: http://www.hpuxtips.es/?q=node/224 and http://docs.hp.com/en/B9901-90042/ch05s01.html
Is this sort of thing possible with IPFILTER on FreeBSD 8.0? If not, would it be possible with OpenBSD's PF? Also, is doing this sort of thing on the firewall a good idea? Would it maybe expose some other vulnerability because of the extra resources needed on the firewall to keep track of stateful information?
I'm trying to mitigate the possibility of a Slowloris HTTP DoS attack, where a single attacker opens a bunch of TCP connections to port 80 of my server, and lets these connections sit idle or close to idle. The Apache server reaches its MaxClients number and no additional connections can be made, denying normal users access to the website.
I want to try to limit the number of concurrent TCP connections from any given [fixed] IP address to port 80 of my server to 10 or so. I'm trying to do this with IPFILTER. So far I have found some HP-UX-specific information on how I might be able to do this: http://www.hpuxtips.es/?q=node/224 and http://docs.hp.com/en/B9901-90042/ch05s01.html
Is this sort of thing possible with IPFILTER on FreeBSD 8.0? If not, would it be possible with OpenBSD's PF? Also, is doing this sort of thing on the firewall a good idea? Would it maybe expose some other vulnerability because of the extra resources needed on the firewall to keep track of stateful information?