How to prevent the DoS attack?

1 What is a DoS attack?
2 How to Prevent from DoS attack?
- 2.1 How does the mod_evasive module work?
3 Steps to Installing mod_evasive Apache Utility
- 3.1 Step 1: Install mod_evasive
- 3.2 Step 2: Configure mod_evasive Options.
4 Test mod_evasive module
5 Parameters and Settings
6 Whitelisting IP addresses

What is a DoS attack?

In this attack, an enormous number of requests are sent to web-server in which case the server is unable to handle. The system eventually stops. During this attack, intended customers, employees cannot access the server. This can mean a loss of sales (for e-commerce sites) or even lead to a complete shutdown of your business.

This attack does not result in theft or loss of information, but it can cost a victim a lot of time and money to handle.

How to Prevent from DoS attack?

The mod_evasive module from the Apache web services modules helps your server stay running in such DoS or Brut force attack.

How does the mod_evasive module work?

This utility works by monitoring incoming server requests. Also, it watches suspicious requests like:

Multiple requests for the same page in one second.
More than 50-100 simultaneous requests per second
If the request is made while IP is temporarily blacklisted.

The module sends a 400 (Bad Request) error if any of these things happen. By default, this also includes a 10-second waiting period on the blacklist. If the IP address making the request tries to request again in that 10-second window, the waitlist is extended.

Steps to Installing mod_evasive Apache Utility

Step 1: Install mod_evasive

Ubuntu: sudo apt-get install libapache2-mod-evasive

CentOS / RedHat: sudo yum install mod_evasive

Step 2: Configure mod_evasive Options.

Open the configuration file.

Ubuntu: sudo vi /etc/apache2/mods-enabled/evasive.conf

CentOS / RedHat: sudo vi /etc/httpd/conf.d/mod_evasive.conf

Remove the comment sign (#) from each line, replace mail@yourdomain.com with the actual email address. Use an email that you check regularly – this is where the tool will send alerts.

At the end configuration file will look like below:

<IfModule mod_evasive20.c>
    DOSHashTableSize    3097
    DOSPageCount        2
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
    DOSEmailNotify      admin@krishagni.com
    DOSSystemCommand   "su - someuser -c '/sbin/... %s ...'"
    DOSLogDir           "/var/log/mod_evasive"
</IfModule>

Save the file and exit. Reload the Apache service by entering the following:

Ubuntu: sudo systemctl reload apache2
CentOS / RedHat : sudo systemctl restart httpd.service

Test mod_evasive module

Use the following command to run testing the script:

Ubuntu: sudo perl /usr/share/doc/libapache2-mod-evasive/examples/test.pl
CentOS / RedHat: sudo perl /usr/share/doc/mod_evasive-1.10.1/test.pl

The output should appear as below:

HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
...
...

Parameters and Settings

DOSHashTableSize: The value here specifies the size of the table that tracks activities of users based on their past IP addresses visits. Increasing the size improves the speed at the cost of memory.

DOSPageCount: This is the threshold for the number of requests for the same page (or URI) per page interval. Once the limit for that interval has been exceeded, the IP address of the client will be added to the blocking list.

DOSSiteCount: The total number of requests can be made for the same site by the same IP address over the period of time specified by the DOSSiteInterval directive. By default, this is set to 50.

DOSPageInterval: Number of seconds for DOSPageCount. By default, this is set to 1 second. That means that if you don’t change it, requesting two pages in 1 second will temporarily blacklist an IP address.

DOSSiteInterval: Like DOSPageInterval, this specifies the number of seconds that DOSSiteCount monitors. By default, this is set to 1 second. That means that if a single IP address requests 50 resources on the same website in a single second, it will be temporarily blacklisted.

DOSBlockingPeriod: The amount of time an IP address stays on the blacklist. Set to 10 seconds by default, you can change this to any value you like. Increase this value to keep blocked IP addresses in time-out for a more extended period.

DOSLogDir: By default, this is set to write logs to /var/log/mod_evasive. These logs can be reviewed later to evaluate client behavior.

DOSSystemCommand: This command allows you to specify a system command to be run when an IP address is added to the blacklist. You can use this to launch a command to add an IP address to a firewall or IP filter.

DOSEmailNotify: If this value is set, an email will be sent to the address specified whenever an IP address becomes blacklisted.

Whitelisting IP addresses

This option isn’t included in the evasive.conf file by default. Open the file for editing as before, then add the following line:

DOSWhitelist 192.168.0.13
DOSWhitelist 192.168.0.*

Substitute the IP address you want to whitelist. Also, you should list only one entry per line. This is typically used with a trusted client that exchanges a lot of data with your website.