September 15, 2010 by Ivan Kristianto
Prevent DDoS Attack With mod_evasive in Apache 2
Getting DDoS attack is a very annoying things. Beside make your server slower and worse make your server down. DDoS (Distributed Denial of Service) is an attempt to attack the server target with flood of request from many sources, to make the target server busy and then down. DDoS attack have many various technique but it is basically flood the target server with high and cpu consuming request and later make the server malfunction or down.
You can prevent DDoS attack by using mod_evasive in Apache 2. Mod_evasive is an Apache module that provides evasive maneuvers action in the event of an HTTP DoS or DDoS (Denial of Service) attack or brute force attack to the web server. When possible attacks are detected, mod_evasive will block the traffic from the source for a specific duration of time, and reports abuses via email and syslog facilities. And mod_evasive can be configured to talk to iptables, ipchains, firewalls, routers, and etc. to build a comprehensive DDOS prevention system for the high traffic busy web server.
To install mode_evasive:
1. Open your terminal or remotely login to your server via ssh
2. Download the mod_evasive module:
cd /opt/ wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
3. Extract it:
tar -zxvf mod_evasive_1.10.1.tar.gz cd mod_evasive
4. Install mod_evasive:
/usr/local/apache/bin/apxs -cia mod_evasive.c
5. Open httpd.conf:
vim /usr/local/apache/conf/httpd.conf #Add this lines DOSHashTableSize 3097 DOSPageCount 5 DOSSiteCount 100 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 600 DOSLogDir "/var/log/httpd/" DOSEmailNotify email@example.com
Save and exit the httpd.conf Apache configuration file.
6. Restart Apache:
There are a lot of ways to configure mod_evasive. See below manual configuration for mod_evasive:
Size of the hash table. The greater this setting, the more memory is required for the look up table, but also the faster the look ups are processed. This option will automatically round up to the nearest prime number.
Number of requests for the same page within the ‘DOSPageInterval’ interval that will get an IP address added to the blocking list.
Same as ‘DOSPageCount’, but corresponds to the number of requests for a given site, and uses the ‘DOSSiteInterval’ interval.
Interval for the ‘DOSPageCount’ threshold in second intervals.
Interval for the ‘DOSSiteCount’ threshold in second intervals.
Blocking period in seconds if any of the thresholds are met. The user will recieve a 403 (Forbidden) when blocked, and the timer will be reset each time the site gets hit when the user is still blocked.
Reply With Quote
If this value is set, an email will be sent to the address specified
whenever an IP address becomes blacklisted. A locking mechanism using /tmp
prevents continuous emails from being sent.
PS: The mod_evasive is not the only way to prevent DDoS attack, and not guarantee would be a perfect way to stop the attacker from attacking you.