Possible Duplicate:
DDoS attack, how to stop?

I'm running a private http server to power a private website. The IP of the server has gone public, thats fine. Nothing to hide anyway.

The problem is the server gets 3 to 8 attacks each day with more than 4000 connections each time. The server and the equipment are set up to handle max 600 connections at the same time. Therefore, the server jams. I have two options at that time:

  1. Grab attackers IP and add it to Blocked list within the software based firewall installed on the server, that kille the attack directly. but the attacks are coming from different IPs and therefor blocking one by one is demanding and not effective.

  2. Reboot the main router to stop the attacks for that moment, but it could begin at any time again.

My ISP can't do anything about this. What are my options?

Will placing a swtich/router with some DDoS protecting before the server make any impact and help the situation?

Johan Larsson
  • 87
  • 2
  • 12
  • 1
    actually, I think this topic is more relevant to the security@stackexchange. There's a recent thread of [syn flooding protection there](http://security.stackexchange.com/questions/15368/syn-flooding-issue). – bangdang May 27 '12 at 05:34
  • 1
    Just an FYI. I had a similar issue with a new web server and it wasn't a DDoS attack as such. It was a poorly behaved searchbot that was making thousands of requests every hour. I blocked access from `180.76.5.` and all is well. – John Gardeniers May 27 '12 at 07:24

2 Answers2


The numbers you are talking about here are well within the range of a single, badly behaved bot. The fact that you are hitting your Apache MaxChildren limit rather than memory, bandwidth or CPU limits and that they are making valid HTTP requests also leans in favour of the bad bot rather than a deliberate DDoS.

If it is a bot, there will probably be a small range or even a single IP address responsible. When it's going on, grepping through your log files can identify the IP addresses concerned:

tail -5000 access.log | cut -d' ' -f1 | sort | uniq -c | sort -n

Tune the number in the tail to match how busy your sites are.

For simultaneous connections, you can also look at netstat:

netstat -tan | grep ESTABLISHED | awk '$4 ~ /:80/ {print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Grep through your access logs for any IP address identified by netstat and make sure it is not just an enthusiastic user or even your own office IP address.

Once you can tell the difference between someone deliberately trying to take your site down and someone just trying to crawl it as fast as possible, you can take steps to block it.

An example of this is the "Dig; Ext" bot. This bot is used for scraping email addresses from HTML pages. It has no pause between page requests and it runs multiple threads at a time (my guess is 10 based on my access logs). When it comes, it can put an extra 1000 requests per minute in my access logs. It conveniently ads the string "Dig; Ext" to its User-Agent, enabling us to block it easily. A 3 second page load with PHP can be dropped to a few hundred microseconds if Apache returns a 403 based on the User-Agent.

Since these are full TCP connections, the IPs can't be spoofed. Therefore, blocking on IP address should be effective. If the IP ranges are dynamic, ADSL or similar then dropping the packets at your firewall is appropriate. If they are server hosting ranges, it's possible that this is due to incompetence and not malice and it's nice to send back a 403 response as a hint that they might want to make their bot a little better behaved.

The mod_security OWASP core rule set has rules for the bot I mentioned above and many others, along with heuristics that match characteristics of many other bots but no real browsers, such as having no Accept: headers.

  • 25,847
  • 7
  • 57
  • 90
  • Attacks are comming from a person/group of people trying to take our service down as much as possible, till now I have places their IP's inside Blocked Zone within the firewall, and it usually helps. Yesterday I managed to re-arrange our equipment so it looks like this, Modem --> ProSafe Firewall --> Router --> Switch --> Server. Before it looked like this, Modem --> Router --> ProSafe Firewall -->... and the router usually gave up, now the router stays and works fine even if the attack connection is doubled. So instead of placing IP's manually inside Blocked Zone, I need an automatic way... – Johan Larsson May 28 '12 at 23:38
  • Your description of the problem is right, I have mod_security installed, the ProSafe Firewall at the front, and Software Firewall on the machine it self, still the high number och requests goes through and hits Apache.I know this is not what we usually use on our servers, but NetLimitter http://www.netlimiter.com has some nice features to limit traffic usage and max connections per PID. – Johan Larsson May 28 '12 at 23:48

Protecting against Distributed DOS is challenging. And theoretically impossible to stop. What I would recommend you is to run a packet analyzer (like tcpdump) and try to understand the packets. 90% of times attacker hosts share some similar packet flags that you can use for blocking the attack.

  • 1,939
  • 10
  • 17