Forum
BanOnFlooding function
Syree
3 January 2015, 19:15
Hello,
I was testing Hiawatha today and I don't know if it is a small bug or if it was a mistake from me. Or perhaps I have not understood the BanOnFlooding-function.
Tested Hiawatha local and with the following in the config-file:
And first all worked and I got banned if I refreshed the website with 'F5' too often.
But then I used 'Ctrl' + 'F5' in the browser and I could refresh and refresh but I wasn't banned.
Here my Logfile:
Sorry, if it was only a mistake from me.
Hiawatha version: 9.9
Operating System: Linux
I was testing Hiawatha today and I don't know if it is a small bug or if it was a mistake from me. Or perhaps I have not understood the BanOnFlooding-function.
Tested Hiawatha local and with the following in the config-file:
BanOnFlooding = 10/2:15 # Only for testing purposes
And first all worked and I got banned if I refreshed the website with 'F5' too often.
But then I used 'Ctrl' + 'F5' in the browser and I could refresh and refresh but I wasn't banned.
Here my Logfile:
# Refreshs with 'Ctrl' + 'F5'
127.0.0.1 - - [03/Jan/2015:19:01:45 +0100] "GET / HTTP/1.1" 200 1766
127.0.0.1 - - [03/Jan/2015:19:01:45 +0100] "GET /image.png HTTP/1.1" 200 3729
127.0.0.1 - - [03/Jan/2015:19:01:45 +0100] "GET /image1.png HTTP/1.1" 200 27685
127.0.0.1 - - [03/Jan/2015:19:01:45 +0100] "GET /image2.png HTTP/1.1" 200 8486
127.0.0.1 - - [03/Jan/2015:19:01:45 +0100] "GET / HTTP/1.1" 200 1766
127.0.0.1 - - [03/Jan/2015:19:01:45 +0100] "GET /image.png HTTP/1.1" 200 3729
127.0.0.1 - - [03/Jan/2015:19:01:45 +0100] "GET /image1.png HTTP/1.1" 200 27685
127.0.0.1 - - [03/Jan/2015:19:01:45 +0100] "GET /image2.png HTTP/1.1" 200 8486
127.0.0.1 - - [03/Jan/2015:19:01:45 +0100] "GET / HTTP/1.1" 200 1766
127.0.0.1 - - [03/Jan/2015:19:01:45 +0100] "GET /image.png HTTP/1.1" 200 3729
127.0.0.1 - - [03/Jan/2015:19:01:45 +0100] "GET /image1.png HTTP/1.1" 200 27685
127.0.0.1 - - [03/Jan/2015:19:01:45 +0100] "GET /image2.png HTTP/1.1" 200 8486
127.0.0.1 - - [03/Jan/2015:19:01:46 +0100] "GET / HTTP/1.1" 200 1766
127.0.0.1 - - [03/Jan/2015:19:01:46 +0100] "GET /image.png HTTP/1.1" 200 3729
127.0.0.1 - - [03/Jan/2015:19:01:46 +0100] "GET /image1.png HTTP/1.1" 200 27685
127.0.0.1 - - [03/Jan/2015:19:01:46 +0100] "GET /image2.png HTTP/1.1" 200 8486
127.0.0.1 - - [03/Jan/2015:19:01:46 +0100] "GET / HTTP/1.1" 200 1766
127.0.0.1 - - [03/Jan/2015:19:01:46 +0100] "GET /image.png HTTP/1.1" 200 3729
127.0.0.1 - - [03/Jan/2015:19:01:46 +0100] "GET /image1.png HTTP/1.1" 200 27685
127.0.0.1 - - [03/Jan/2015:19:01:46 +0100] "GET /image2.png HTTP/1.1" 200 8486
# Now I only used 'F5' again and I got banned
127.0.0.1 - - [03/Jan/2015:19:01:47 +0100] "GET / HTTP/1.1" 304 157
127.0.0.1 - - [03/Jan/2015:19:01:47 +0100] "GET /image.png HTTP/1.1" 304 179
127.0.0.1 - - [03/Jan/2015:19:01:47 +0100] "GET /image1.png HTTP/1.1" 304 179
127.0.0.1 - - [03/Jan/2015:19:01:47 +0100] "GET /image2.png HTTP/1.1" 304 179
127.0.0.1 - - [03/Jan/2015:19:01:47 +0100] "GET / HTTP/1.1" 304 157
127.0.0.1 - - [03/Jan/2015:19:01:47 +0100] "GET /image.png HTTP/1.1" 304 179
127.0.0.1 - - [03/Jan/2015:19:01:47 +0100] "GET /image1.png HTTP/1.1" 304 179
127.0.0.1 - - [03/Jan/2015:19:01:47 +0100] "GET /image2.png HTTP/1.1" 304 179
Sorry, if it was only a mistake from me.
Hiawatha version: 9.9
Operating System: Linux
Syree
3 January 2015, 19:37
Another thing with the same files (one .html-file and three images):
Have the following in the config file:
=> I can push 'F5' as often I want. I don't get banned.
=> If I push 'Ctrl' + 'F5' I get banned immediately
By the way: What means the two numbers in the logfile after "GET ..."?
Have the following in the config file:
ConnectionsPerIP = 1
BanOnMaxPerIP = 20
=> I can push 'F5' as often I want. I don't get banned.
=> If I push 'Ctrl' + 'F5' I get banned immediately
By the way: What means the two numbers in the logfile after "GET ..."?
Hugo Leisink
4 January 2015, 11:12
Just tested it. It works fine. Remember that flooding only works within one and the same connection. If a client connects, sends a request, disconnects, connects sends a request, disconnects, and so on, it's not seen as flooding. To limit the connect-disconnect flood, use a combination of ConnectionsPerIP and ReconnectDelay.
Pressing F5 makes the browser refresh the current page, allowing it to use its local cache. So, if the entire page is in the cache, the webserver is not consulted. Pressing Ctrl+F5 forces the browser to reload the page, ignoring its local cache.
The two numbers at the end of the line is the HTTP return code and the amount of bytes transmitted. The 304 HTTP code means "Not Modified", which is sent if the browser requests a certain page only if it's modified since a certain timestamp. If it has not been modified, the server sends a 304 with no content, which means that the browser safely can use its local cache for that file. This is done to safe bandwidth.
Pressing F5 makes the browser refresh the current page, allowing it to use its local cache. So, if the entire page is in the cache, the webserver is not consulted. Pressing Ctrl+F5 forces the browser to reload the page, ignoring its local cache.
The two numbers at the end of the line is the HTTP return code and the amount of bytes transmitted. The 304 HTTP code means "Not Modified", which is sent if the browser requests a certain page only if it's modified since a certain timestamp. If it has not been modified, the server sends a 304 with no content, which means that the browser safely can use its local cache for that file. This is done to safe bandwidth.
Syree
4 January 2015, 12:39
Thank you very much for your answer, but to be honest, I don't really understand what you mean.
In the manual there is this sentence:
And in the above logfile there are so many requests and I didn't get banned if I pressed 'Ctrl' + 'F5'. When I only used 'F5' I got banned. But why is here a difference?
So, I don't know what you mean with flooding and 'one and the same connection'.
Regarding the transmitted bytes:
If the browser uses its own local cache why does the webserver transmit bytes?
I don't want to annoy you, but it's not really clear to me.
In the manual there is this sentence:
BanOnFlooding = <number>/<time>:<ban-time>
When a client sends more than <number> requests in <time> seconds, the IP will be banned for <ban-time> seconds.
When a client sends more than <number> requests in <time> seconds, the IP will be banned for <ban-time> seconds.
And in the above logfile there are so many requests and I didn't get banned if I pressed 'Ctrl' + 'F5'. When I only used 'F5' I got banned. But why is here a difference?
So, I don't know what you mean with flooding and 'one and the same connection'.
Regarding the transmitted bytes:
If the browser uses its own local cache why does the webserver transmit bytes?
I don't want to annoy you, but it's not really clear to me.
Syree
4 January 2015, 13:52
Sorry because of the double-post.
I have also problems with 'ReconnectDelay'. If I set this variable to '0' I get a syntax error - is this normal?
And the following:
In my test I have one index.html-file with three images and this config-settings:
I have also problems with 'ReconnectDelay'. If I set this variable to '0' I get a syntax error - is this normal?
And the following:
In my test I have one index.html-file with three images and this config-settings:
ConnectionsPerIP = 4Well, if I load my small website the first time and everything works. Now I wait about 10 seconds and refresh with 'Ctrl' + 'F5'. And I get the 'Connection was reset'-site from the browser. And in my system.log-file there is this record
ReconnectDelay = 1
BanOnMaxPerIP = 0
127.0.0.1|Sun 04 Jan 2015 13:47:31 +0100|Maximum number of connections for IP address reached
But why? I thought 'ReconnectDelay = 1' is only valid for one second?Hugo Leisink
4 January 2015, 15:46
A browser is not a good thing to test the floading protection, because it uses multiple (up to six) connections to load a page. Forget the F5 / Ctrl+F5 thing. Use the telnet command and send a request manually:
Copy paste this multiple times in your telnet session with the webserver. After more than X requests per Y seconds (depends on what you specified), your telnet sessions will be disconnected and you will be banned.
A value of 4 for the ConnectionsPerIP is not a sane one. A browser uses up to six connections for requesting a single webpage, so with a value of 4 every client gets banned. It could be possible that multiple people request a webpage from your webserver, so you should more think of a value like 25 for this setting.
A 0 for ReconnectDelay doesn't change anything, because it's the default value. Although actually setting it to 0 is not sane, it should not generate an error. Will be fixed in the next release.
GET / HTTP/1.1
Host: <some hostname>
Copy paste this multiple times in your telnet session with the webserver. After more than X requests per Y seconds (depends on what you specified), your telnet sessions will be disconnected and you will be banned.
A value of 4 for the ConnectionsPerIP is not a sane one. A browser uses up to six connections for requesting a single webpage, so with a value of 4 every client gets banned. It could be possible that multiple people request a webpage from your webserver, so you should more think of a value like 25 for this setting.
A 0 for ReconnectDelay doesn't change anything, because it's the default value. Although actually setting it to 0 is not sane, it should not generate an error. Will be fixed in the next release.
Syree
4 January 2015, 16:33
I see your point but the people use only a web browser to surf the internet. So it's not as easy.
1) How does I know how many connections and requests a web browser needs for my webpage. Say, I have a index.html with three images. What does the browser? One connections with four requests? Four connections with one request? What if the webpage has 20 files (images, css-files, ...)? That's important to know to create a sane config-file.
2) If I set in my config-file 'TimeForRequest = 30, 45' I also get a syntax error. Can you reproduce this?
1) How does I know how many connections and requests a web browser needs for my webpage. Say, I have a index.html with three images. What does the browser? One connections with four requests? Four connections with one request? What if the webpage has 20 files (images, css-files, ...)? That's important to know to create a sane config-file.
2) If I set in my config-file 'TimeForRequest = 30, 45' I also get a syntax error. Can you reproduce this?
Hugo Leisink
4 January 2015, 18:46
My advice: forget the banning for now and set ConnectionsPerIP to 25. Use the Hiawatha Monitor to keep track of your webserver(s). Only if some stubborn DoS-er is bugging you, use Hiawatha's banning features. In such situation, the Hiawatha Monitor shows you what is normal and what the effect of the DoS attack is on your server. That will give you enough information to find the right values for the banning settings.
Syree
4 January 2015, 19:37
For a better understanding:
If I have a webpage with many files in it (images, stylesheets, etc.) and in total they are more than 25.
Then I have also to change 'ConnectionsPerIP', right?
If I have a webpage with many files in it (images, stylesheets, etc.) and in total they are more than 25.
Then I have also to change 'ConnectionsPerIP', right?
Hugo Leisink
4 January 2015, 21:39
No, multiple files can be requested via one connection. It's just than several files can be requested simultaneous. Just remember that a browsers uses up to six connections per website / webpage.
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
