Using mod_evasive for Blocking HTTP DoS Attacks

By | September 26, 2006

If you do business on the Web, you are, to some degree, vulnerable to Denials of Service attacks. If Apache server is part of your infrastructure, mod_evasive is an extremely effective third-party security module to mitigate the effects of DoS attacks.

Mod_evasive is an Apache security module whose purpose is to fend off request-based DOS attacks or brute force attacks. In addition to its capability to block HTTP DoS attacks, it provides an interface to send attacking IP address to another security application such as firewall, routes and other network management tools.

Mod_evasive detects attacks by creating an internal dynamic hash table of IP to URIs pairs based on the requests received. When a new request comes into Apache, mod_evasive will deny any IP address from any of the following:

1. The IP address of the client exists in the temporary black list of the hash table.

2. The client has requested the same page more than once within the timeframe defined in httpd.conf (DOSSiteInterval). The default timeframe is 1 second.

3. The client request number has gone above the threshold set for the entire site per the time interval specified.

If any of the above checks are true, the client denied access with the status code 403 – forbidden. The client will continue to be denied for the duration of the configured block period (default is 10 seconds).

The installation is done using Apache apxs script and is not complicated at all. The mod_evasive application comes with two different module versions for Apache: one for Apache 1.3 and one for Apache 2.0. The following command will install and active the module:

# tar –xzf mod_evasive-1.4.3.tar.gz; cd mod_evasive-1.4.3
# ./apxs –iac mod_evasive20.c
# apachectl restart

Once installed, it is loaded with its default settings, which allow you to work without the need to modify the Apache configuration file. While the default settings will work for most standard environments, you will want to tweak mod_evasive to work best for your environment. To change mod_evasive configuration, you should add the following directives to httpd.conf:

<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10

Here are some of the important parameters you would like to change depending on your environment:

DOSHashTableSize – This directive defines the number of top-level nodes for each child process´s hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but consume more memory for table space. You should increase this if you have a busy web server. Default value is 3097.

Leave a Reply