Mod_limitipconn

I have had a few clients with chronic security issues on machines, DoSes are by far the most common attack. It’s easy enough for anyone of average (or below average, up for debate) intelligence to carry out. A few zombie machines and some basic software and all of a sudden you can take down a decently massive web site.

There are a few caveats to mod_limitipconn, the biggest being if you run a site with a very large amount of images. Images are loaded last on a page, and also are loaded at once. This can be a perilous position because of the fact that mod_limitipconn can cause issues with dead images if not done properly. This is why you have to tune it. In general there is no CPanel integration so you’re going to be doing this by hand. For you people out there with other panels, your milage may vary.

First thing is installing it. This is a relatively simple process, be sure you have APXS installed so you can do this. Download the software from http://dominia.org/djao/limitipconn2.html and install it using their commands. You can also probably get packages from a place like Dag if that’s your thing. Certain distros such as Debian also come with a ready to rock version. After we get it installed, we need to go into httpd.conf and make some alterations.

MaxConnPerIP 10
NoIPLimit images/*

There are a few things to note here. For people that have static content on their systems, you would set an instance of “images” for each static content directory that you were using. This includes things like Javascript, CSS, and conventional images. The reason for this is if using mod_limitipconn for system hardening an attacker will usually not target an image. This can happen, but it’s also not as “profitable” as a DoS using a page because you don’t pull the images and other content on the page (increasing bandwidth usage) and static content tends to be super efficient compared to PHP or other server side scripting so it tends to be far more robust.

You can also do other cool tricks such as format based setting of the connection limits.


# local per-directory settings here
MaxConnPerIP 1
OnlyIPLimit audio/mpeg video

By putting this in with the main confiugration above, you can set up additional subdirectories and limit connections based on media type. This can slow a leecher down significantly because they can’t pull everything at once.

Since we have the basics covered, just a few words on tuning the configuration. The biggest thing you need to do is view the sites you use this on. Sites with mod_limitipconn can behave erratic behavior if an initial setup is done but left untuned. This can include random broken images and other content not showing up. There are two things we are concerned with to tune; the first is that the most static content possible is set to very loose or no limitations, the second being that you get the base connections as low as sanely possible. If you can get it around 5 that would likely be the most pages someone would “sanely” load of a typical site without having issues. The other thing is that if you have embedded pages in your site you will have to increase this number significantly. Just go slowly and when the page fully loads add say 10-20% to that amount. If you get reports of broken content it would likely be safe to up this number some at that point to “dial in” that perfect configuration.

2 Responses

  1. Tyler Bishop May 27, 2010 / 2:14 pm

    Very nice write up alex, its a very good module.

  2. Amitav April 18, 2013 / 5:48 am

    Hi Alex topic, recently, I have installed and configured mod_limitipconn in our Apache web server, which works as a reverse proxy to back end Oracle Weblogic server.

    When opening pages, it gives a very erratic behaviour, some time broken images are comming, many times dropdown menu are not comming.

    There are lot of css files located in multiple directories.

    So My initial set up was:

    MaxConnPerIP 1
    NoIPLimit image/*
    NoIPLimit images/*
    NoIPLimit images*/*

    As there was lot of issues with .css files, so, I modified the configuration as below to accomodate all the .css files located in the multiple directories..

    MaxConnPerIP 1
    NoIPLimit image/*
    NoIPLimit images/*
    NoIPLimit images*/*
    NoIPLimit css/*
    NoIPLimit templates/*
    NoIPLimit ifoundation/*

    Can you please let me know whether the above configuration is correct …? or need to define
    for each directory having .css files with NoIPLimit parameter…?

    Please suggests.

Leave a Reply

Your email address will not be published. Required fields are marked *