cutlass2006 has asked for the wisdom of the Perl Monks concerning the following question:

Ahoj monks,

The gods are always angry at my servers as we are under constant denial of service (DOS) ... its mostly undirected, lightweight stuff, but it does spike.

I do have a sophisticated iptables setup and throttling in place; I seek enlightenment in analyzing the apache logs .. I have carried with me but the simplest of perl one liners for many years and I am ashamed to say I have not updated my knowledge in this area and seek wisdom.

If anyone has any top tips (perl one liners) or cpan packages that help identify DOS attacks I would be very grateful ?

  • Comment on identifying DOS attacks on apache server

Replies are listed 'Best First'.
Re: identifying DOS attacks on apache server
by CountZero (Bishop) on Mar 21, 2008 at 19:54 UTC
    I' m afraid a simple one liner (or even a complicated one) will not solve your DOS problems.

    It does no good to find out (long) afterwards from checking the logs that your server was under a DOS-attack. You want to find out soonest possible and stop it right there!

    If you want to do that, you have to use mod_perl as this allows you access to all stages of the request-cycle. The main problem however is how to identify a DOS attack as soon as possible and unfortunately I cannot give you any guidance here.

    CPAN does not seem to have a handy module either, although things like Apache-BruteWatch or Apache::AuthChecker could be an inspiration.

    If you just want to work with the logs, have a look at Apache::ParseLog.

    CountZero

    A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James

[reply]
Re: identifying DOS attacks on apache server
by dwm042 (Priest) on Mar 21, 2008 at 17:35 UTC
    This cool use might help you sort out your apache logs.
[reply]

Back to Seekers of Perl Wisdom