Monday, January 17, 2011

Mod_Dosevasive in Apache

What Is Mod_Dosevasive?

Mod_Dosevasive is an evasive maneuvers module for Apache whose purpose is to react to HTTP DoS and/or Brute Force attacks.
An additional capability of the module is that it is also able to execute system commands when DoS attacks are identified. This provides an interface to send attacking IP addresses to other security applications such as local host-based firewalls to block the offending IP address. Mod_Dosevasive performs well in both single-server attacks, as well as distributed attacks; however, as with any DoS attack, the real concern is network bandwidth and processor/ RAM usage.

How Does Mod_Dosevasive Work?

Mod_Dosevasive identifies attacks by creating and using an internal dynamic hash table of IP Addresses to URIs pairs based on the requests received. When a new request comes into Apache, Mod_Dosevasive will perform the following tasks:
  • The IP address of the client is checked in the temporary blacklist of the hash table. If the IP address is listed, then the client is denied access with a 403 Forbidden.
  • If the client is not currently on the blacklist, then the IP address of the client and the Universal Resource Identifier (URI) being requested are hashed into a key. Mod_Dosevasive will then check the listener's hash table to verify if any of the same hashes exist. If it does, it will then evaluate the total number of matched hashes and the timeframe that they were requested in versus the thresholds specified in the httpd.conf file by the Mod_Dosevasive directives.
  • If the request does not get denied by the preceding check, then just the IP address of the client is hashed into a key. The module will then check the hash table in the same fashion as above. The only difference with this check is that it doesn't factor in what URI the client is checking. It checks to see if the client request number has gone above the threshold set for the entire site per the time interval specified.
Configuration
you should add the following directives to your httpd.conf file

LoadModule dosevasive20_module modules/mod_dosevasive20.so 

-IfModule mod_dosevasive20.c
-    DOSHashTableSize    3097
-    DOSPageCount        2
-    DOSSiteCount        50
-    DOSPageInterval     1
-    DOSSiteInterval     1
-    DOSBlockingPeriod   10
-/IfModule
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)