Trying to avoid DOS attacks.

Last week a website on one of my servers was the target of a DOS attack. I’m almost positive that the attack was not intended to be a DOS, but more likely an attempt to use a webmail application to relay spam.

The application was smart enough to make sure the user had a valid session before it would try to deliver any mail. The problem was that the application caused apache to take most of the system resources while it was trying to check if the request came from a user with a valid session.
My solution (I Hope) was to change the Apache Configs and install a module designed to help with DOS attacks called mod_evasive.

My first step was to install mod_evasive. For some reason the version in the ports only supports Apache 2 which I don’t use, so I had to download it and compile on my own.

# cd /usr/local/src

# wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz

# tar xvf mod_evasive_1.10.1.tar.gz

# cd mod_evasive

# apxs -iac mod_evasive.c

I added the following to /usr/local/etc/apache/httpd.conf

LoadModule evasive_module libexec/apache/mod_evasive.so
AddModule mod_evasive.c

<IfModule mod_evasive.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 40
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSEmailNotify email@domain.com
</IfModule>

The documentation will explain what the configuration options actually do.

Restart Apache
# /usr/local/etc/rc.d/apache.sh restart

Then run the test application that came with mod_evasive

# /usr/local/src/mod_evasive/test.pl

The first few connection requests should go through fine. You shoud then start to see the web server return 403s.

Hopefully this stops this type of attack from completely killing my server again.

If anybody knows anything else that can be done feel free to drop me a comment.