Security UPDATE--Evading DoS Attacks Against Apache--February 14, 2007


Data Protection and Disaster Recovery Tips

Recent Lessons in Disaster Recovery

Filtering the Spectrum of Internet Threats



IN FOCUS: Evading DoS Attacks Against Apache


- DNS Root Servers Fell Under Brief Attack

- Skype Teams with Symantec and FaceTime to Offer Security Tools

- New Direction, Product for Check Point

- Recent Security Vulnerabilities


- Security Matters Blog: Root Access Through a User-Installed MySQL Back Door

- FAQ: Managing Group Policy for Vista

- Share Your Security Tips


- Data Auditing Solution Adds Content Scanning

- Wanted: Your Reviews of Products






Data Protection and Disaster Recovery Tips

Discover a wealth of information about how to protect and secure your data in the event of a disaster. You may not be able to predict the exact details of a disaster, but you can be prepared with a solid response for when one strikes. Disaster can strike anywhere--not just where severe weather can hit--so make sure you're ready when it does. Download your free copy of this eBook today!

=== IN FOCUS: Evading DoS Attacks Against Apache


by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Last week, I began working with mod_evasive, a Web-based security tool that helps defend Apache HTTP Server against Denial of Service (DoS) attacks. Mod_evasive is a typical loadable module that looks for particular behavior and then blocks it.

Mod_evasive is similar to Suhosin, which I wrote about back in December (at the URL below). You might remember that Suhosin is a patch for the PHP scripting engine that makes it far more secure. It helps detect and prevent all sorts of potentially bad Web-based content from reaching your systems and network beyond the PHP engine.

Mod_evasive keeps track of IP addresses that send URL requests to your Apache server, then gauges whether the request rates from any given IP address exceed your acceptable predefined limits. If the limits are exceeded, then the IP address is temporarily blocked from making any more requests.

Like many other Apache modules, mod_evasive allows the administrator to set various parameters that control module behavior. For example, you can set the maximum number of pages that one IP address can request from your entire site (DOSSiteCount) within a specified time period (DOSPageInterval), the maximum number of page reloads one IP address can request(DOSPageCount) within a specified time period (DOSPageInterval), and the period of time to block the requesting IP address if it exceeds the limits (DOSBlockingPeriod).

To help clarify, here's an example. If you set DOSSiteCount to 100, DOSPageCount to 3, DOSPageInterval to 2, and DOSBlockingPeriod to 10, then mod_evasive will work like this: If an IP address requests more than 100 different pages or reloads the same page more than three times in two seconds, that IP address will be blocked for 10 seconds.

There are a few other parameters you can configure too. You can set the size of the hash table mod_evasive uses to track IP addresses. The larger the hash table, the more IP addresses it can keep track of. You can also define an email address that will receive a short notice any time an IP address is blocked. And you can set a logging directory that records the IP addresses about which you've received email messages. Mod_evasive uses the log to keep from sending you numerous messages about the same IP address.

Overall mod_evasive seems like a reasonable addition to Apache. It will in fact help fend off some intruders. However, if you aren't careful about the settings, it might block relatively innocent users whose browsers or proxy servers perform aggressive preloading of Web pages--typically used to enhance the browsing experience and speed up overall browsing. So be careful configuring the settings and be sure to monitor the email mod_evasive sends (if you use that feature) to determine whether you've configured it to be too restrictive.

Mod_evasive is available from the developer, Jonathan A. Zdziarski, in source code format (at the URL below), so you must compile it by using Apache's apxs tool (see the readme file for details). That typically isn't a problem for Linux administrators; however it might present a problem for Windows users, who might not have apxs or other required tools.

You can get apxs for Windows at Apache Lounge, at the URL below, provided as a Perl script. Be aware that you'll need some Apache-related libraries to use it, so when you install Apache on Windows you need to choose the custom install and select "Build Headers and Libraries" as part of your installation. Make sure the libraries are located in the lib subdirectory of your Apache installation directory before using the apxs tool.

Or, to simplify matters, you can get a precompiled copy of mod_evasive for Windows, including source code, at the URL below.

Finally, keep in mind that while mod_evasive is effective at protecting Apache against DoS attacks, it's not a cure-all. Attackers could still saturate your bandwidth or overload your Web server's CPU. So keep that in mind and take other measures, if you can, to prevent those possibilities from becoming reality.

=== SPONSOR: Neverfail


Recent Lessons in Disaster Recovery

In today's IT world disaster recovery is more important than ever. This white paper looks at disaster recovery and what it means for your organization as well as identifies some of the approaches that work the best. Download now!



DNS Root Servers Fell Under Brief Attack

On February 6, some of the root DNS servers that provide the backbone for the Internet's global domain name system fell under attack.

Skype Teams with Symantec and FaceTime to Offer Security Tools

Skype will offer Symantec's Norton tools to its base of small business and home office users. FaceTime will work with Skype's business users to provide end-to-end security within the enterprise.

New Direction, Product for Check Point

Check Point Software Technologies is moving into the data security market and enhancing its core network security product line after its recent acquisitions of Protect Data (which owns Pointsec) and NFR Security.

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

=== SPONSOR: St. Bernard Software


Filtering the Spectrum of Internet Threats

Examine the threats of allowing unwanted or offensive content into your network and learn about the technologies and methodologies to defend against inappropriate content, spyware, IM, and P2P. Download this free white paper now!



SECURITY MATTERS BLOG: Root Access Through a User-Installed MySQL Back Door

by Mark Joseph Edwards,

Did you know that someone can gain root shell access (or system-level access in Windows) through quirks in the load_file feature of MySQL? Hopefully you've locked down your system to prevent that.

FAQ: Group Policy for Windows Vista

by John Savill,

Q: How can I manage Group Policy for Windows Vista machines?

Find the answer at


Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to [email protected] If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.



by Renee Munshi, [email protected]

Data Auditing Solution Adds Content Scanning

Tizor Systems claims that its new 5.0 release of Mantra is the first data auditing and protection solution to feature content scanning capabilities, which let enterprises discover, monitor, and report on the activity of specific types of data (such as credit card and Social Security numbers) in databases and file systems and on mainframes. Other new functionality in Mantra 5.0 lets enterprises track all database changes and reconcile them with authorized change control tickets and better enforce segregation of duties through roles. Mantra 5.0 also offers enhanced support for Microsoft SQL Server, including NT LAN Manager (NTLM) authentication and named pipes support, and better network monitoring of Distributed Relational Database Architecture (DRDA) mainframes. Mantra 5.0 will be available first quarter 2007. For more information, go to

WANTED: your reviews of products you've tested and used in production. Send your experiences and ratings of products to [email protected] and get a Best Buy gift certificate.



For more security-related resources, visit

Learn how to use consolidation and selected technology updates to build an infrastructure that handles change effectively.

A secure mail and messaging infrastructure is fundamental to your business, and every organization should plan for the appropriate message hygiene, availability, and control services from the start. This eBook introduces three fundamental mail and messaging management services--security, availability, and control services--and explains how you can implement them in a Microsoft-centric email and messaging environment. Download now!

Are you planning to deploy or increase your use of Group Policy? Attend this free Web seminar and learn how to design a solid deployment plan, get tips on the best ways to set up delegation, discover the importance of good Group Policy change control, and learn how to optimize processing performance. Live event: February 28, 2007 at 12:00 PM EST.



Devote your time, energy, and resources to serving your customers, not your servers. Want to focus on high-value activities instead of applying OS patches and updates, dealing with security vulnerabilities, and managing disk drives? Download this free white paper now and find out how you can have a business-class Web hosting solution with secure application pooling to protect your data.



Introducing a Unique Exchange and Outlook Resource

Exchange & Outlook Pro VIP is an online information center that delivers new articles every week on topics such as administration, migration, security, and performance. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other benefits! Order now at an exclusive charter rate and save up to $50!

Grab Your Share of the Spotlight!

Nominate yourself or a peer to become IT Pro of the Month. This is your chance to get the recognition you deserve! Winners will receive over $600 in IT resources and be featured in Windows IT Pro. It's easy to enter--we're accepting March nominations now, but only for a limited time! Submit your nomination today:


Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below).

Subscribe to Security UPDATE at

Unsubscribe by clicking

Be sure to add [email protected] to your antispam software's list of allowed senders.

To contact us:

About Security UPDATE content -- [email protected]

About technical questions --

About your product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.