[Koha-devel] [Koha] F5 Attacks
Chris Cormack
chris at bigballofwax.co.nz
Fri Oct 28 10:27:40 CEST 2016
On 28 October 2016 at 20:52, Paul Poulain <paul.poulain at biblibre.com> wrote:
> comment/thought/question:
> this code will prevent any F5 by mistake, but an attacker who WANT to F5
> will just have to prevent javascript from being executed and "problem fixed"
> [for him] ?
No one doing a legitimate attack is going to be using a browser.
They'll just fire up curl-loader or siege on any of the hundreds of
tools and hit the url multiple times that way.
So trapping it for the mistake ones is a good start.
The rest really does boil down to sysadmin tasks. Even if we got Koha
to be the fastest thing in the world, you could still swamp it.
Tuning your apache server to only be able to answer to as many
requests as you can manage is the key.
Out of the box, it will do 150 concurrent, I doubt many people have
the RAM to handle 150 concurrent requests, tune that down to something
realistic.
That way an attack will still cause a DOS, but it wont OOM the
machine. So as soon as the requests stop, it will continue.
Chris
More information about the Koha-devel
mailing list