Results 1 to 16 of 16
  1. #1
    Join Date
    Dec 2007
    Posts
    32

    Basic anti-DoS protection

    Hello,

    We are looking for basic advice about how to secure our server against DoS attacks. We've never done anything like this before, sorry for asking such a basic question, but we could use a few starting pointers.

    We have a Fedora core server running Apache (with mod_security installed), MySQL and PHP. We were testing our server recently with setting one web browser to hit one of our webpages several times in a second, which resulted in MySQL slowing down. We want to protect the server from basic sort of annoyances like these.

    What is the best way to protect ourselves against this? Is it possible to specify something in our PHP, MySQL or Apache configuration that would stop creating new connections if many requests in a second are made from a single IP address?

    Or do we need to download extra Apache modules or other software? We googled a bit, and found the following recommendations:
    -Advanced Policy Firewall (APF)
    -Brute Force Detection (BFD)
    -mod_evasive module for Apache

    Thank you for any suggestions and advice. As you can see, we are not the most experienced in this field yet, so we would rather go step-by-step and do the basic stuff first - if we can protect ourselves through PHP/MySQL/Apache configuration, we'd do that first, and install any more advanced software a bit later.

    Cheers

  2. #2
    Join Date
    Nov 2005
    Location
    Michigan, USA
    Posts
    3,872
    look into mod_evasive and the USE_AD=1 in APF.


  3. #3
    Join Date
    Dec 2007
    Posts
    32
    Thanks, will look into it.

    Isn't there anything we can do through PHP, MySQL or Apache first?

    Or maybe through iptables, by setting dstlimit module?

  4. #4
    Join Date
    Nov 2005
    Location
    Michigan, USA
    Posts
    3,872
    PHP and MySQL, not really. Mod_evasive and mod_security together for Apache will work well for smaller DDOS attacks, and then APF's Anti-Dos (USE_AD) will help as well.

    If it's a larger DDOS attack, then nothing on your server is going to help, you have to rely on your ISP.


  5. #5
    Join Date
    Feb 2004
    Location
    Sofia
    Posts
    1,349
    There is no more USE_AD in APF. What happended to it? Was it replaced by something else or just abandoned as inefficient?

  6. #6
    Join Date
    Aug 2007
    Location
    Greece
    Posts
    390
    mod_evasive,APF.
    If it is a large Ddos you could also change your webserver to Litespeed.
    If it is something big enough you should look at external solutions (firewall,proxyshiels etc.)
    NOT a webhost!helping here just for the fun of it!
    G(r)eek inside.

  7. #7
    Join Date
    Jan 2003
    Location
    Lake Arrowhead, CA
    Posts
    789
    Quote Originally Posted by Dave_77 View Post
    Isn't there anything we can do through PHP, MySQL or Apache first?
    Absolutely. Anyone saying otherwise obviously didn't read what you wrote:
    one web browser to hit one of our webpages several times in a second, which resulted in MySQL slowing down
    That scenario isn't a DDos issue, it's one of basic code optimization.

    1) You can use mysql persistent connections to avoid the overhead of creating new connections for each query. This may benefit you as long as you don't expect to have a huge number of connections from diverse IPs, in which case you can run out of memory. Of course, your script(s) should track and limit the number of connections to something the server can handle.

    2) Are you utilizing query caching? Unless the data changes several times a second, your script (or mysql query cache) should be caching the result to avoid un-necessary queries. Fix the code and Dos should not be an issue.

    Well written code is almost always the correct solution to (non distributed) Dos situations. I would never use a broadsword (mod_security, APF, etc.) to solve a problem easily fixed with a scalpel.

    For small DDos attacks, all the above mentioned options (Mod_evasive, Anti-Dos, lightweight web server, etc.) are good potential choices.
    Last edited by SROHost; 03-16-2008 at 01:43 PM.
    http://www.srohosting.com
    Stability, redundancy and peace of mind

  8. #8
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,683
    If you're using cpanel, I'd use the more recent (and actively maintained) CSF instead of the older APF, especially when coupled with mod_security. As SROhost says though, if you're application is weak then you're screwed. (I can see you're not running cpanel, but CSF may still be more helpful than APF).

    Another very simple solution that some people miss is - don't host DDOS-prone sites. Some of the site types that are more likely to attract DDOS attacks are:
    • game and clan sites
    • manga (apparently)
    • hacker sites (probably)
    • porn and soft porn


    Oh - and I beleive iptables has rate limiting stuff built in. I think CSF uses it too. Would probably help.

    Also as SROhost says, make sure you cache stuff if possible. If not, you may look at using locks to serialize access, or some other similar mechanism.
    Last edited by brianoz; 03-18-2008 at 10:05 AM.

  9. #9
    Join Date
    Feb 2008
    Posts
    269
    Quote Originally Posted by Dave_77 View Post
    What is the best way to protect ourselves against this?
    Have you considered using services of a company that provides DDoS mitigation? If you haven't done that so far, maybe it could be worthwhile to start investigating the companies that offer such services. There are many reviews of such companies here on WHT.

  10. #10
    phreek338 Guest
    you should probably take a look at the Netfilter manpages, iptables has some good features that can help you when it comes to DDoS attacks, but like they said, if the attack is large enough there isn't much you can do server-side.

  11. #11
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,512
    For basic security against entry level DDoS attacks I would ditch the Apache idea and drop in Litespeed. It's not incredibly difficult and works out to be a good deal for the benefits.

  12. #12
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,683
    Quote Originally Posted by IRCCo Jeff View Post
    For basic security against entry level DDoS attacks I would ditch the Apache idea and drop in Litespeed. It's not incredibly difficult and works out to be a good deal for the benefits.
    Jeff,

    Do you lose any functionality with litespeed? What does it cost?

    Cheers,

    Brian

  13. #13
    Join Date
    May 2006
    Location
    San Francisco
    Posts
    7,200
    Quote Originally Posted by brianoz View Post
    Jeff,

    Do you lose any functionality with litespeed? What does it cost?

    Cheers,

    Brian
    http://www.litespeedtech.com/product...rver/overview/

  14. #14
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,683
    Thanks, was looking for a summary from someone who's actually used both, rather than their marketing material (which is generally not too useful in assessing a product).

  15. #15
    +1 to SROHost

    also pay attention to DB optimization (e.g. use InnoDB instead of MyISAM etc.), do not store sessions data in DB, try to avoid DB query from front page etc.etc.etc.

  16. #16
    Please see the Post by SROhost,

    The scenario, you are explaining, requires mysql optimization. Please enable persistent connection and query caching on the DB server.

    Also, instead of using mod_evasive, please use iptables rule, for the same.

    mod_evasive, will result in increased size of the httpd binary, and it is working in the application layer, which is little slow, compared, to iptables, which worjs at network layer.
    Web Hosting Gurus

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •