Is Apache mod_evasive has same function as Lighttpd mod_evasive?

Question

Apache mod_evasive description:

When possible attacks are detected, mod_evasive will block the traffic from the source for a specific duration of time, while reports abuses via email and syslog facilities. Or administrators can configure mod_evasive to talk to iptables, ipchains, firewalls, routers, and etc. to build a comprehensive DDOS prevention system for the high traffic busy web server.

But for Lighttpd mod_evasive, I still not clear about the function. The Lighttpd mod_evasive docs also not give details about it.

I just need to protect from HTTP DoS or DDoS (Denial of Service) attack.

Can Lighttpd mod_evasive block the traffic from the source for a specific duration of time?

Answer 1

The documentation for lighttpd's mod_evasive clearly states its purpose:

mod_evasive is a very simplistic module to limit connections per IP.

It is not really comparable to mod_evasive for Apache httpd since lighttpd's mod_evasive only limits the connection-count per IP address (client). Apache httpd's mod_evasive can do much more.

You could build something similar to Apache httpd's mod_evasive or mod_security with lighttpd's mod_magnet, though.

Answer 2

The mod_evasive or detecting user agents and replying some 404 or whatever will NOT avoid a DDOS attack. If you want to avoid your web server out, you need to limit rate or filter connections in either firewall or router.

The reason is because all bogus connections to your webserver will still need to be handled by one of your children process (eg apache forks), and make the web server process creates forks or threads until it can not anymore and keep the current ones busy replying 404 or whatever you configured it to.