Apache DDOS Attack / Countermeasures

[mowsen]

Hej Volks!


Today I was DDOSed the very first time in my Life ! It was a distributed attack (around 500 different IPs). They all requested the same page of my wordpress blog. My machine (FreeBSD 7.2 / Apache 2.2.14 / Intel PIII 600 MHz / 265 MB Ram / 100 MBit) thus collapsed and wasn't reachable for about two hours...

Now I did the following to tune my apache: (in the conf I added)

MaxClients 20
TimeOut 10
KeepAlive Off
AcceptFilter http httpready
AcceptFilter https dataready

Additionaly, I blocked those 500 IPs through my firewall (pf) - which will not work for further attacks as all those IPs were dynamic.

Now I wanted to ask if there is someone here at the FreeBSD Forums that might have gone through this already?! Which other countermeasures can you recommend? Is there any chance at all that I can keep this poor machine responding to usual requests by legit visitors? What apache modules are there (i read something about mod_evasive, but can't seem to find more info on the web on that + the latest updated seems from 2003).

Any ideas are greatly appreciated!

Thanks,
Mo

 

[OH]

Since you're already using pf, you could take a look at Stateful Tracking Options

 

[dennylin93]

PF is one possible solution. Check out mod_security as well.

 

[rambetter]

You say that one page was accessed from 500 different IP addresses. Were these really distinct IP addresses or were there just 500 connections open at the same time?

If you really do have 500 distinct IP addresses bombarding your server, there probably isn't too much you can do unless you have a pretty beefy machine with a very fast internet connection.

But I did notice some things in your setup. ``MaxClients 20'' is extremely low. The default is 256.

Were these 500 clients bombarding you with repeatedly new TCP connections or were these 500 connections just idling? I spent the past few days preparing my website for a Slowloris attack, you may want to read up on that. It's where many connections are made to the webserver but the connections don't send the request headers very quickly, or not at all. The connections tie up your MaxClient rather quickly, and the webserver is unable to process any legitimate incoming connections.

I recently added these PF rules to my firewall:

set optimization aggressive

ext_if = "em0"

# This will allow Slowloris attack from localhost, but that's OK.
pass in on $ext_if proto tcp from any to any port = http flags S/SA \
  synproxy state (source-track rule, max-src-conn 36, if-bound)

What this does is limit the number of concurrent TCP connections from one IP to 36 connections. Also, because the state for the connections sits in your firewall even during the FIN stages of a TCP connection, the above firewall rule limits the number of new TCP connections that can come in to port 80 to 36 every 60 seconds or so, from any given IP address.

With MaxClients being 20, the pf.conf rule above is pretty much useless. On the other hand if you raised your MaxClients to 256 and added the PF rule above, it would take about 8 distinct IP addresses to bring down your site.

 

[Monoecus]

If these attacks persist, you should maybe have a look at www/hiawatha -- a very small webserver that includes automatic ddos responses by blocking IPs as soon as they behave badly.