RFE: API for adding blocked IPs for a vhost/directory "from the side"

[ts77]

Hello folks,

I'm having my own DoS-protection build into my php-scripts.
Those are checking how many accesses to the php-pages are done by which ip and so on.
Once a user hits a given threshold his IP is added to a .htaccess-file and removed after a specified ban-time.

that results in the following:

2006-06-12 23:44:21.195 [INFO] [HTAccess] Configuration file [/home/xxx/forum_v51/.htaccess] changed.
2006-06-12 23:44:21.195 [INFO] [HTAccess] Updating configuration from [/home/xxx/forum_v51/.htaccess]
2006-06-12 23:44:52.026 [INFO] [HTAccess] Configuration file [/home/xxx/forum_v51/.htaccess] changed.
2006-06-12 23:44:52.026 [INFO] [HTAccess] Updating configuration from [/home/xxx/forum_v51/.htaccess]
2006-06-12 23:44:52.240 [INFO] [HTAccess] Configuration file [/home/xxx/www/forum_v2/.htaccess] changed.
2006-06-12 23:44:52.240 [INFO] [HTAccess] Updating configuration from [/home/xxx/www/forum_v2/.htaccess]
2006-06-12 23:45:17.682 [INFO] [HTAccess] Configuration file [/home/xxx/www/forum_v2/.htaccess] changed.
2006-06-12 23:45:17.682 [INFO] [HTAccess] Updating configuration from [/home/xxx/www/forum_v2/.htaccess]
2006-06-12 23:45:22.331 [INFO] [HTAccess] Configuration file [/home/xxx/forum_v51/.htaccess] changed.
2006-06-12 23:45:22.331 [INFO] [HTAccess] Updating configuration from [/home/xxx/forum_v51/.htaccess]
2006-06-12 23:45:53.306 [INFO] [HTAccess] Configuration file [/home/xxx/www/forum_v2/.htaccess] changed.
2006-06-12 23:45:53.306 [INFO] [HTAccess] Updating configuration from [/home/xxx/www/forum_v2/.htaccess]
2006-06-12 23:45:54.453 [INFO] [HTAccess] Configuration file [/home/xxx/forum_v51/.htaccess] changed.
2006-06-12 23:45:54.453 [INFO] [HTAccess] Updating configuration from [/home/xxx/forum_v51/.htaccess]
2006-06-12 23:46:19.040 [INFO] [HTAccess] Configuration file [/home/xxx/www/forum_v2/.htaccess] changed.
2006-06-12 23:46:19.040 [INFO] [HTAccess] Updating configuration from [/home/xxx/www/forum_v2/.htaccess]
2006-06-12 23:46:19.163 [INFO] [HTAccess] Configuration file [/home/xxx/forum_v51/.htaccess] changed.
2006-06-12 23:46:19.163 [INFO] [HTAccess] Updating configuration from [/home/xxx/forum_v51/.htaccess]
2006-06-12 23:46:49.224 [INFO] [HTAccess] Configuration file [/home/xxx/www/forum_v2/.htaccess] changed.
2006-06-12 23:46:49.224 [INFO] [HTAccess] Updating configuration from [/home/xxx/www/forum_v2/.htaccess]
2006-06-12 23:46:49.228 [INFO] [HTAccess] Configuration file [/home/xxx/forum_v51/.htaccess] changed.
2006-06-12 23:46:49.228 [INFO] [HTAccess] Updating configuration from [/home/xxx/forum_v51/.htaccess]
2006-06-12 23:47:19.554 [INFO] [HTAccess] Configuration file [/home/xxx/forum_v51/.htaccess] changed.
2006-06-12 23:47:19.554 [INFO] [HTAccess] Updating configuration from [/home/xxx/forum_v51/.htaccess]
2006-06-12 23:47:21.382 [INFO] [HTAccess] Configuration file [/home/xxx/www/forum_v2/.htaccess] changed.
2006-06-12 23:47:21.382 [INFO] [HTAccess] Updating configuration from [/home/xxx/www/forum_v2/.htaccess]

which I don't see as a perfomance-enhancement with all its reloading of the htaccess ;-).

Therefore I'd like to see a way to update the blocked ips for a vhost or directory through some api from an app.

 

[mistwang]

I think .htacess should serve this purpose well, should not be a performance hit itself.
Actually, I think it may not be a good idea to do DoS detection in an external application, as one instance may not know the big picture and hard to make it accurate. Our builtin DoS prevention feature is more effiicient and accurate.

 

[ts77]

Maybe your builtin dos-prevention is more efficient but I need to check more variables in the app which can't be done on the server-side, like which page was accessed how often and I don't need to take static files into account either.

 

[mistwang]

There is an option, "Dynamic Requests/second", for this kind of single point DoS attack, maybe it is not exactly what you have been doing in PHP, but should help.

 

[xing]

ts77, the best way is to drop packets via dynamic rules:

http://www-128.ibm.com/developerworks/library/l-fw/

With your customize security setup, the above would be the better way to stop traffic at a lower network layer. Otherwise, your blocked users are still wasting LiteSpeed's tcp connections.