Portal Home > Knowledgebase > Articles Database > HTTPD floods
HTTPD floods
| Posted by Markovic, 04-25-2011, 05:21 AM |
| Hello,
I'm getting a few mbps flood. The problem is it's taking my Apache down every time.
I currently have installed and configured:
CSF
Synd
Custom /etc/sysctl.conf from here: sph1.net/sysctl-tuner.sh
My problem is my apache gets down every time when there is ddos. I basically need tweaks that will allow my apache to stay up, like maxclients option in httpd.conf, max open files and so on. Every other protection in apache level would be appreciated.
Thank you for your time
|
| Posted by yourwebhostereu, 04-25-2011, 05:28 AM |
| Hi
You should take a look at the server-status page. Perhaps it's something like a slow-loris attack (see here)
|
| Posted by Markovic, 04-25-2011, 05:51 AM |
| Installed.
Thank you, more suggestions would be appreciated.
Have a good day.
|
| Posted by yourwebhostereu, 04-25-2011, 06:11 AM |
| This kind of attack just opens a connection to apache but doesn't do anything. When most apache processes are connected with an attacker almost nobody can access the server anymore. /server-status/ (if you can open it) will always show the same URL with many different IP's, which means that it is a slow-loris attack.
Combined with an optimized amount of max processes this should solve the problem, it's a rough guess but on average I'm right with this
|
| Posted by PeakVPN-KH, 04-25-2011, 02:41 PM |
| If that doesn't work you would likely need to look at getting a server behind mitigation or adding some form of remote protection. The issue is that this sort of attack is not easily blocked with any method on the server-side without complex scripting or just tons of resources.
Another option is switching to something like LiteSpeed or nginx which can handle it a bit better. Specifically bursts and hung connections, which Apache will fold over time with. Best of luck!
|
| Posted by viGeek, 04-25-2011, 03:29 PM |
| Are they making certain requests to a web resource? If it's only several mbps may be able to handle it locally.
Scripting really comes in handy in circumstances like this however.
|
| Posted by CI-Andrew, 04-27-2011, 04:47 PM |
| It could very well be the slowloris attack as mentioned above. Even the latest version of Apache is vulnerable to this as far as I know, the only method I know for sure to block it is to use a reverse proxy server in front of Apache.
|
Add to Favourites 
Print this Article
Also Read
