Results 1 to 6 of 6
  1. #1

    dos_evasive settings

    I have over 200 bots or whatever they are are simply using over 200 differebt Ips to take down the site and they were sucessful to slow it down but now its working fine but with high loads I installed Dos_deflate and dos_evasive but can someone recmannd me the best dos_evasive settings to prevent these kinds of attacks

  2. #2
    Join Date
    Dec 2004
    New York, NY
    Hate to say it, but mod_evasive is probably not going to help you with these attacks.

  3. #3
    Quote Originally Posted by layer0
    Hate to say it, but mod_evasive is probably not going to help you with these attacks.
    I sent some emails out to people who sell ddos proxies for server 30minutes agao still havent gotten any response once I get a ddos proxy maybe then It will be stopped also thanks for your quick response. And these idiots are only targeting httpd port 80 the only time the server becomes effected is during peak hours other then that everything is normal but with high loads I also checked out for rootkit nothing found.

  4. #4
    Join Date
    Feb 2002
    Vestal, NY
    Does your datacenter have any DDOS devices? Maybe you can ask to see if there is anything they can do on the network level?

  5. #5
    Join Date
    Apr 2005
    Just log the attacks, and jack the nets
    Zach E. -
    Shared Web Hosting, Reseller Hosting, Cloud VPS & Dedicated Servers
    UK: 0800 138 3235 ❘ USA: 1-800-995-8256

  6. #6
    Join Date
    May 2006
    I never had much luck with mod_evasive even with apache floods. I guess it may help some. I have been seeing a lot lately of botnets doing apache floods instead of syn/udp and it gets right by most if not all ddos protection. It has to be stopped at the server level. Best method I been doing to deal with it is set mod_evasive to these settings for apache2, its that basic reccomended settings in the read me. Also the settings at will work
    UPDATE: below settings are the oens from eth0 not default

    <IfModule mod_evasive20.c>
    DOSHashTableSize 3097
    DOSPageCount 5
    DOSSiteCount 100
    DOSPageInterval 2
    DOSSiteInterval 2
    DOSBlockingPeriod 10
    DOSBlockingPeriod 600
    Set your timeout to 30, keepalive timeout to 5 in httpd.conf

    Install apf, enable antidos and install the cron

    Then get dos deflate from set max connections to about 60-90, set ban period as high as you can, I use 8600, I think much over messes up the way it runs the cron

    When you get an attack go in your box or control panel and shut down apache so you can work. Then in the shell Enter ddos and you will see who all is connected and how many times, If you see a lot of ips from the same subnet ban them. In some cases you can ban an entire /8 subnet until you go back over your logs and ban the individual subnets and ips. Restart apache, do the same cycle when you notice it lagging again.
    Keep doing this and you will eventually get them filtered if they are just http flooding. Syn/udp and anything else you would need a ddos protected network.

    good luck , hope this helps
    Last edited by jon-f; 01-20-2007 at 03:16 AM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts