Using mod_evasive for Blocking HTTP DoS Attacks

By | September 26, 2006

DOSSiteCount – This directive defines the total number of requests for any object by the same client on the same listener per site interval. Once the threshold has been exceeded, the IP address of the client will be added to the blocking list. Default value is 50.

DOSPageInterval – The interval for the page count threshold. Default value is 1 second.

DOSSiteInterval – The interval for the site count threshold. Default value is 1 second.

DOSSystemCommand – This directive defines the system command that will be executed whenever an IP address is added to the blacklist. This directive is used to call iptables or other tools.

To test your configuration, mod_evasive comes with a Perl script The script sends 100 requests to the localhost server on port 80. For the purpose of the article, we will define DOSSystemCommand to block the attacking IP address using iptables:

DOSSystemCommand “/sbin/iptables –I INPUT –p tcp –dport 80 –s %s –j DROP”

The above command drops every connection on port 80 (HTTP) for a given IP, which is denoted by %s and replaced by mod_evasive. We execute on the attacking computer that has the IP

perl test.plHTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK

HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden

Mod_evasive has blocked a DoS attack from and will use DOSSystemCommand directive to add a new rule that will drop HTTP traffic from that host. Running the following command on the server will show us the new rule:

iptables –L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp — anywhere tcp dpt:http

This module is extremely effective at fending off small to medium sized DoS attacks. It offers great features that will prevent you from wasting bandwidth or exhausting your CPU process by running dozens of CGI scripts as a result of an attack.

Leave a Reply