I have over 200 bots or whatever they are are simply using over 200 differebt Ips to take down the site and they were sucessful to slow it down but now its working fine but with high loads I installed Dos_deflate and dos_evasive but can someone recmannd me the best dos_evasive settings to prevent these kinds of attacks
Hate to say it, but mod_evasive is probably not going to help you with these attacks.
I sent some emails out to people who sell ddos proxies for server 30minutes agao still havent gotten any response once I get a ddos proxy maybe then It will be stopped also thanks for your quick response. And these idiots are only targeting httpd port 80 the only time the server becomes effected is during peak hours other then that everything is normal but with high loads I also checked out for rootkit nothing found.
I never had much luck with mod_evasive even with apache floods. I guess it may help some. I have been seeing a lot lately of botnets doing apache floods instead of syn/udp and it gets right by most if not all ddos protection. It has to be stopped at the server level. Best method I been doing to deal with it is set mod_evasive to these settings for apache2, its that basic reccomended settings in the read me. Also the settings at eth0.us/mod_evasive will work
UPDATE: below settings are the oens from eth0 not default
Set your timeout to 30, keepalive timeout to 5 in httpd.conf
Install apf, enable antidos and install the cron
Then get dos deflate from deflate.medialayer.com set max connections to about 60-90, set ban period as high as you can, I use 8600, I think much over messes up the way it runs the cron
When you get an attack go in your box or control panel and shut down apache so you can work. Then in the shell Enter ddos and you will see who all is connected and how many times, If you see a lot of ips from the same subnet ban them. In some cases you can ban an entire /8 subnet until you go back over your logs and ban the individual subnets and ips. Restart apache, do the same cycle when you notice it lagging again.
Keep doing this and you will eventually get them filtered if they are just http flooding. Syn/udp and anything else you would need a ddos protected network.