mod_evasive is an evasive maneuvers module for Apache to provide evasiveaction in the event of an HTTP DoS or DDoS attack or brute force attack. Itis also designed to be a detection tool, and can be easily configured to talkto ipchains, firewalls, routers, and etcetera.
Detection is performed by creating an internal dynamic hash table of IPAddresses and URIs, and denying any single IP address from any of the following:
This method has worked well in both single-server script attacks as wellas distributed attacks, but just like other evasive tools, is only asuseful to the point of bandwidth and processor consumption (e.g. theamount of bandwidth and processor required to receive/process/respondto invalid requests), which is why it's a good idea to integrate thiswith your firewalls and routers.
This module instantiates for each listener individually, and therefore hasa built-in cleanup mechanism and scaling capabilities. Because of this,legitimate requests are rarely ever compromised, only legitimate attacks. Evena user repeatedly clicking on 'reload' should not be affected unless they doit maliciously.
Detection is performed by creating an internal dynamic hash table of IPAddresses and URIs, and denying any single IP address from any of the following:
- Requesting the same page more than a few times per second
- Making more than 50 concurrent requests on the same child per second
- Making any requests while temporarily blacklisted (on a blocking list)
This method has worked well in both single-server script attacks as wellas distributed attacks, but just like other evasive tools, is only asuseful to the point of bandwidth and processor consumption (e.g. theamount of bandwidth and processor required to receive/process/respondto invalid requests), which is why it's a good idea to integrate thiswith your firewalls and routers.
This module instantiates for each listener individually, and therefore hasa built-in cleanup mechanism and scaling capabilities. Because of this,legitimate requests are rarely ever compromised, only legitimate attacks. Evena user repeatedly clicking on 'reload' should not be affected unless they doit maliciously.
