Knowledge Base

We would like to give credit to www.medialayer.com, elix, www.inetbase.com and Zaf. For the original thread, please go here: http://deflate.medialayer.com/

##### Update From Zaf #####
Version 0.6 released
Changes:
- whitelisting possible by adding ips in /usr/local/ddos/ignore.ip.list
- it uses this file to avoid banning the ip again (it was handling this differently and was a bit slower too)

Installation / Update Method:
It remains the same as last time (uninstall and reinstall the script), and you need to make changes to the conf to suit your preferences (The default values ban an ip with 150 connections (or more) for 600 seconds and run the script every minute)

Steps for installing/updating the script (ignore the first two steps if you are installing first time)
# wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
# sh uninstall.ddos
# wget http://www.inetbase.com/scripts/ddos/install.ddos
# sh install.ddos


Simply install this on your server and let it do its work. It is recommended to have APF installed wtih as well. You can view a complete how-to on setting up APF in the main Linux Security thread.

Note: Don't forget to start the script with the --cron flag so the cron is setup otherwise it won't run continously.

You can also try using modevasive. Here are the details:
 

With the widespread infection of many computers with viruses, and the ever increasing number of Botnets, DoS and DDoS attacks can be quite frequent and can very easily bring a website to halt for days. This article provides a module solution for apache to help mitigate small http DoS and DDoS attacks.

Download the latest version of mod_dosevasive from: http://www.nuclearelephant.com/projects/dosevasive

The lastest version is 1.10 (http://www.nuclearelephant.com/proje...ve_1.10.tar.gz)

Untar it:

tar zxvf mod_dosevasive_1.10.tar.gz

Change into the directory:

cd mod_dosevasive

Compile mod_dosevasive apache module (Apache 2):

/usr/local/apache/bin/apxs -i -a -c mod_dosevasive20.c

or the following for apache 1.3:

/usr/local/apache/bin/apxs -i -a -c mod_dosevasive.c

Replace /usr/local/apache with your path to apache.

Edit your httpd.conf (usually located in /usr/local/apache/conf/httpd.conf):
Add:

<IfModule mod_dosevasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSEmailNotify [email protected]
DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"
</IfModule>

- DOSHashTableSize: is the size of the table of URL and IP combined
- DOSPageCount: is the number of same page requests from the same IP during an interval that will cause that IP to be added to the block list.
- DOSSiteCount: is the number of pages requested of a site by the same IP during an interval which will cause the IP to be added to the block list.
- DOSPageInterval: is the interval that the hash table for IPs and URLs is erased (in seconds)
- DOSSiteInterval: is the intervale that the hash table of IPs is erased (in seconds)
- DOSBlockingPeriod: is the time the IP is blacked (in seconds)
- DOSEmailNotify: can be used to notify by sending an email everytime an IP is blocked
- DOSSystemCommand: is the command used to execute a command when an IP is blocked. It can be used to add a block the user from a firewall or router.
- DOSWhiteList: can be used to whitelist IPs such as 127.0.0.1

Although mod_dosevasive can be quite effective in some cases, in others it can cause more problems by blocking non-offending IPs. It is suggested you take a look at hardware solution if you