This sounds like a serious issue and the links/hints I have seen in this thread do not seem to acknowledge this fact.
If it's a single IP address, then you can block it with the tool of your choice. That's obvious. But in a DDoS setting, your apache server is as dead as the parrot in Monthy Python. And what's worse: No logfile documenting the silent death. Just an impressive amount of connections in netstat. You can try to nail the attacking clients with mod_forensic, but it won't help you much. http://httpd.apache.org/docs/trunk/misc/security_tips.html#dos is a nice list of hints for general use, but regarding the attack in question, it sounds like a collection of spare time activities while you watch your server die. Event mpm is fun, but it is of little use without ssl and ssl-sites are particulary affected by this sort of attack. AcceptFilter is very limited in scope. If you can fight an attacker, who is using slow requests as mentioned, then this shows a serious lack of fantasy on the side of the attacker. The same applies to LimitRequestBody, LimitRequestFields, LimitRequestFieldSize, etc. Setting Timeout to a sane value helps a little, but even a timeout of one seconds will leave you as an easy prey. Besides upgrading to apache 2.2 seems a must, with the known timeout issues with cgi script timeouts and proxying. mod_evasive is regulary cited (Kew, Apache Modules Book, p. 110), when it is no use as it lacks communication between the processes/threads. Let alone between webservers. mod_cband looks dead, as mentioned here recently. It's no use anyways. In fact all these IP connection limiting attempts hardly work in the real world, where users share outgoing proxies and thus a single IP address. Regarding application level DDoS attacks, Mirkovic/Dietrich et. al, Internet DoS, p. 85, conclude : "... many defenses are not able to help you defend against this kind of attack." Kew, Apache modules, is more verbose, but the essence is more or less the same. You can try to work with guardian log in mod_security, but it is still very limited. But it's a start. Other strategies exist, but they are generally weak. Maybe there is an optimal set with a combination of these defenses, but I would not bet on it. One of the better defenses I have seen is to use blacklists and whitelists on a firewall in front of the webserver. Think of good ways to feed these lists (See mod_forensic above, but it's only a start and I think it's a bad one). You are a lucky sysadmin, if you are able to use GeoIP, because your clients/customers stem from a clear geographic region. Chances are you are not so lucky. Under the line: If you are facing this sort of attack, then you are in serious trouble and there is little apache can do for you. --------------------------------- Yahoo! Answers - Get better answers from someone who knows. Tryit now.
