With the widespread infection of many computers with viruses, and the ever increasing number of Botnets, DoS and DDoS attacks can be quite frequent and can very easily bring a website to halt for days. This article provides a module solution for apache to help mitigate small http DoS and DDoS attacks.
Download the latest version of mod_dosevasive from: http://www.nuclearelephant.com/projects/dosevasive
The lastest version is 1.10 (http://www.nuclearelephant.com/projects/dosevasive/mod_dosevasive_1.10.tar.gz)
tar zxvf mod_dosevasive_1.10.tar.gz
Change into the directory:
Compile mod_dosevasive apache module (Apache 2):
/usr/local/apache/bin/apxs -i -a -c mod_dosevasive20.c
or the following for apache 1.3:
/usr/local/apache/bin/apxs -i -a -c mod_dosevasive.c
Replace /usr/local/apache with your path to apache.
Edit your httpd.conf (usually located in /usr/local/apache/conf/httpd.conf):
DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"
- DOSHashTableSize: is the size of the table of URL and IP combined
- DOSPageCount: is the number of same page requests from the same IP during an interval that will cause that IP to be added to the block list.
- DOSSiteCount: is the number of pages requested of a site by the same IP during an interval which will cause the IP to be added to the block list.
- DOSPageInterval: is the interval that the hash table for IPs and URLs is erased (in seconds)
- DOSSiteInterval: is the intervale that the hash table of IPs is erased (in seconds)
- DOSBlockingPeriod: is the time the IP is blacked (in seconds)
- DOSEmailNotify: can be used to notify by sending an email everytime an IP is blocked
- DOSSystemCommand: is the command used to execute a command when an IP is blocked. It can be used to add a block the user from a firewall or router.
- DOSWhiteList: can be used to whitelist IPs such as 127.0.0.1
Although mod_dosevasive can be quite effective in some cases, in others it can cause more problems by blocking non-offending IPs.