0

someone is making many requests to a specific page on my site that has JS on it. Subsequently, it's driving the CPU load to 100+ if I don't restart apache.

What I tried: - Reduce KeepAlive timeout - Installed mod_evasive (doesn't seem to work due to MaxChildProcesses, basically it's installed and blacklisting IP's but I can still hit refresh 20 times and it wont block anything) - Installed DDOS DEFLATE (usless, CSF is better) - Configured CSF to protect port 80 and ban IPs with more than 50 connections (many false positives still doesn't prevent CPU spike) - Installed limitipconn only to find out it doesn't work at all with apache 2 - Enabled syn cookies and reduced various tcp timeouts - Optimized the site to make it less prune to DDOS attacks

Nothing really works and they can still crash my server whenever they want.

Any ideas?

Thanks Oliver

Oliver
  • 1
  • Oh, I am using the CSF firewall. If I add something like this would it even work? iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 200 -j DROP – Oliver May 11 '11 at 17:15
  • Have you tried turning keep-alive off? – Mark May 11 '11 at 17:31
  • Well keepalive is important for page speed so I really wouldn't want to turn it off. – Oliver May 11 '11 at 17:58
  • I doubt it will harm performance. None responsive server is worse. Else, try [Varnish](http://www.varnish-cache.org/). – Mark May 12 '11 at 15:03

1 Answers1

0

I'm not entirely convinced that the Javascript here is responsible for what you are seeing. Javascript is handled entirely client side, there's nothing different to the server between serving Javascript and serving plain text.

That being said, I have a few suggestions: 1) Ditch CSF entirely. It enables the iptables conntrack module, which can basically be used to DDOS your site. (Conntrack has a table storing info about any current connections. When that table fills up, your server stops accepting new connections). Go with some plain iptables rules, and avoid state matching

2) Put something better suited to handling attacks in front of Apache. Nginx and HAProxy are good choices here. These defeat entire classes of attacks, just by being there.

3) Figure out what's crashing your server. Is it incoming bandwidth? Maybe you have one page that's very resource intensive to serve (not Javascript, as I said before that doesn't matter to the server)? Is something consuming all the Apache workers? Without actually knowing the source of your issues, it's very tough to defend against them.

devicenull
  • 5,572
  • 1
  • 25
  • 31