0

Sometimes i have ddos attacks on my server. I'm trying to prevent from this. I'm using Nginx to serve static content and as a reverse proxy and Apache to serve php applications.

When the attack starts, I have a lot of (eg. 3000 IP addresses) that want to reach my page the same time but there is only one IP address per 4 - 5 seconds. But if there is a lot of attackers I still have 400 requests per seconds, but from different IP. So I have problem with blocking it because IP connection rate limit in Nginx doesn't work in this situation. I have about 100 websites on that server. During the attack, Nginx works ok, but the Apache is completely dead, Nginx cannot connect to the upstream for not only the attacked site but for all sites on the server. I have no problem with the situation that during the attack, the attacked site doesn't work, but I want to other sites works without impact.

I need solution that not move attack away, but i want to have working server that can be able to serve other sites when one is being attacked.

Could you help me in some way? I'm thinking about using haproxy in front of Nginx. I would add one backend for each site with concurrent connection limit for about 40 connections. Do you think if it is a good idea? Or maybe you have other ideas how to prevent this kind of attacks?

felek
  • 1
  • 2
  • You tagged this with both "apache-2.2" and "apache-2.4". Please remove the tag that does not apply to the web server version in use. – Mark Stosberg Feb 11 '16 at 19:51

2 Answers2

0

DDOS is never an easy problem to solve but it sounds like the type of low level attack you are experiencing would definitely be helped by the queuing facility in HAProxy i.e. don't flood the Apache server with too many requests (maxconns).

You could also try and prioritise your existing customers using a cookie facility, like some busy sites do black Friday protection.

Malcolm turnbull
  • 747
  • 5
  • 6
0

In Apache, look at lowering the value for MaxRequestWorkers (or MaxClients depending on your version of Apache). Once the value is low enough, Apache should not fall over, because it is limited to only respond to as many requests as it can handle. Additional requests will be queued (up to a limit, described in the linked docs).

For the overall problem, see I am under DDoS. What can I do?.

Community
  • 1
Mark Stosberg
  • 3,771
  • 23
  • 27