.htaccess rules to stop DDoS POST flooding

Question

We're under a distributed denial of service attack from traffic that looks like this:

49.146.161.175 - - [11/Jul/2014:00:43:42 -0400] "POST / HTTP/1.1" 500 557 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
117.221.185.108 - - [11/Jul/2014:00:43:42 -0400] "POST / HTTP/1.1" 500 557 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
58.186.16.180 - - [11/Jul/2014:00:43:42 -0400] "POST / HTTP/1.1" 500 557 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

I've been able to reduce the impact by adding this to root folder .htaccess file

<Limit POST>
Deny from all
</Limit>

The problem of course is that prevents use of wp-login.php or anything in /wp-admin/

I'm wondering if there is a way to just deny POST requests to / or modify the above in such a way as to allow use of wp-login and anything in /wp-admin/

Thanks for any advice you can give.

Answer 1

Apache is really, really bad at filtering any kind of requests due to its design (by the time it can learn about the request and drop it or respond with an error, it already used a lot of resources and stuff). What I did and had a big success with was this:

1. Install mod_rpaf or similar in Apache and set it to accept proxy from localhost.

2. Install haproxy on some port like 8080, configure it in HTTP mode to proxy to Apache.

3. Put an ACL to drop POST requests to the URL or whatever you need to drop, acls are pretty powerful in haproxy.

4. Set haproxy to put the client IP in a header and configure mod_rpaf to get it from there.

5. Add a NAT rule to redirect the traffic from 80 to the haproxy port.

With haproxy 1.5 you can achieve the same for SSL sites too. I truly find haproxy really powerful for Layer 7 filtering like this. You could probably use nginx too but it is a bit slower, however, you have an advantage that you can use tools like naxsi for it and get a true web application firewall.