We are looking for basic advice about how to secure our server against DoS attacks. We've never done anything like this before, sorry for asking such a basic question, but we could use a few starting pointers.
We have a Fedora core server running Apache (with mod_security installed), MySQL and PHP. We were testing our server recently with setting one web browser to hit one of our webpages several times in a second, which resulted in MySQL slowing down. We want to protect the server from basic sort of annoyances like these.
What is the best way to protect ourselves against this? Is it possible to specify something in our PHP, MySQL or Apache configuration that would stop creating new connections if many requests in a second are made from a single IP address?
Or do we need to download extra Apache modules or other software? We googled a bit, and found the following recommendations:
-Advanced Policy Firewall (APF)
-Brute Force Detection (BFD)
-mod_evasive module for Apache
Thank you for any suggestions and advice. As you can see, we are not the most experienced in this field yet, so we would rather go step-by-step and do the basic stuff first - if we can protect ourselves through PHP/MySQL/Apache configuration, we'd do that first, and install any more advanced software a bit later.
Isn't there anything we can do through PHP, MySQL or Apache first?
Absolutely. Anyone saying otherwise obviously didn't read what you wrote:
one web browser to hit one of our webpages several times in a second, which resulted in MySQL slowing down
That scenario isn't a DDos issue, it's one of basic code optimization.
1) You can use mysql persistent connections to avoid the overhead of creating new connections for each query. This may benefit you as long as you don't expect to have a huge number of connections from diverse IPs, in which case you can run out of memory. Of course, your script(s) should track and limit the number of connections to something the server can handle.
2) Are you utilizing query caching? Unless the data changes several times a second, your script (or mysql query cache) should be caching the result to avoid un-necessary queries. Fix the code and Dos should not be an issue.
Well written code is almost always the correct solution to (non distributed) Dos situations. I would never use a broadsword (mod_security, APF, etc.) to solve a problem easily fixed with a scalpel.
For small DDos attacks, all the above mentioned options (Mod_evasive, Anti-Dos, lightweight web server, etc.) are good potential choices.
If you're using cpanel, I'd use the more recent (and actively maintained) CSF instead of the older APF, especially when coupled with mod_security. As SROhost says though, if you're application is weak then you're screwed. (I can see you're not running cpanel, but CSF may still be more helpful than APF).
Another very simple solution that some people miss is - don't host DDOS-prone sites. Some of the site types that are more likely to attract DDOS attacks are:
game and clan sites
hacker sites (probably)
porn and soft porn
Oh - and I beleive iptables has rate limiting stuff built in. I think CSF uses it too. Would probably help.
Also as SROhost says, make sure you cache stuff if possible. If not, you may look at using locks to serialize access, or some other similar mechanism.
What is the best way to protect ourselves against this?
Have you considered using services of a company that provides DDoS mitigation? If you haven't done that so far, maybe it could be worthwhile to start investigating the companies that offer such services. There are many reviews of such companies here on WHT.
you should probably take a look at the Netfilter manpages, iptables has some good features that can help you when it comes to DDoS attacks, but like they said, if the attack is large enough there isn't much you can do server-side.