mod_evasive
What is mod_evasive?
mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.
Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following:
- Requesting the same page more than a few times per second
- Making more than 50 concurrent requests on the same child per second
- Making any requests while temporarily blacklisted (on a blocking list)
This method has worked well in both single-server script attacks as well as distributed attacks, but just like other evasive tools, is only as useful to the point of bandwidth and processor consumption (e.g. the amount of bandwidth and processor required to receive/process/respond to invalid requests), which is why it’s a good idea to integrate this with your firewalls and routers for maximum protection.
This module instantiates for each listener individually, and therefore has a built-in cleanup mechanism and scaling capabilities. Because of this per-child design, legitimate requests are never compromised (even from proxies and NAT addresses) but only scripted attacks. Even a user repeatedly clicking on ‘reload’ should not be affected unless they do it maliciously. mod_evasive is fully tweakable through the Apache configuration file, easy to incorporate into your web server, and easy to use.
Downloads:
| Stable | [ mod_evasive_1.10.1.tar.gz ] | mod_evasive for Apache v1.3 and 2.0, and NSAPI (SunONE) |
CVS Access
The mod_evasive source tree is available via CVS by using the following commands:
cvs -d :pserver:cvs@cvs.nuclearelephant.com:/usr/local/cvsroot login cvs -d :pserver:cvs@cvs.nuclearelephant.com:/usr/local/cvsroot checkout mod_evasive
Linux RPMs
The following links are not official RPMs, but have been submitted as freely downloadable.
[...] I don't have time to go looking for it now but if you do a little searching, you will find a copy of a cronjob script someone around here wrote and posted for exactly this purpose just last year. If you have not already done so, I would install CSF firewall from configserver.net on your server and more closer to what you want to do, you might want to also look into mod_evasive: Article talking about Mod_Evasive The link for mod_evasive recently changed: Current link to Mod_Evasive [...]
Hi, I think I found a bug in mod_evasive, here I explain it in spanish:
http://el-blog-de-thor.blogspot.com/2009/04/fallo-de-programacion-en-modevasive.html
Summarizing you’re reseting the varible n->timestamp for each request. It’s posible that I may have misunderstood the code, if so sorry. Regards!
Hello,
I’m currently using mod_evasive, and it works beautifully. However, I’m getting a high number of false positives, since I have a script that is requested through AJAX, and since the URL is always the same, and there can be several requests per second, blacklisting becomes inevitable.
I think that the ability to override some parameters (or just disable the module) for specific and would be very desirable. Are you planning to add this in the future? Or at least a regex that allows you to whitelist some URLs… that’d be enough for most cases.
Keep up the good work!
[...] constant target for DDOS attacks, to lower their performance impact, you can install Apache module mod_evasive and DDOS Deflate scripts. mod_evasive installation guides are scattered across the net, so I leave [...]
[...] of all, head on over to Jonathan Zdziarski’s site to download the latest version (1.10.1 as of writing [...]
[...] Mod_Evasive [...]
Is mod_evasive available for Windows installations of Apache?