Http flooding: how to prevent that (neither mod_evasive nor iptables helped)

Hi,
I got many http flooding on my apache that I am unable to stop.
Simple attack which “just” requests thousands of index page of my website.
I put some firewall rules, that stops many of them, but not all of them and these make my apache going down.

• I tried to solve that with mod_evasive: but issue is that mod_evasive only see CF IPs, so mod_evasive can only block… CF itself !
• I tried to use some scripts and add iptables : same issue here. iptables will not work since all requests are done through CF. So if I detect an dangerous IP making many requests, adding it to iptables, will not prevent it to access my https site through CF.

I installed modIp so I can see real IP in apache log, but this does not work with mod_evasive, nor with iptables.

I really do not have any idea. Looks like only possibility left is the “rate limiting” option. Problem is I am afraid that will cost me thousands of dollars per month.

If someone has treated already that issue and have some free time, I am ok for freelancing job.

Thanks again

mod_remoteip is necessary as you’ll otherwise never get the right IP addresses. What you need to make sure is that Apache executes mod_remoteip before mod_evasive. That’s unfortunately rather an Apache specific question and better handled on their forums.

iptables won’t help you as they work on an IP level but the required information is within the HTTP request.

You need to make sure mod_remoteip is properly configured and rewrite the address correctly. Once that works correctly mod_evasive should get that address too and everything should work out of the box.

Again, Apache’s forums is the best place for that.

Rate limiting will not charge you for requests which were blocked, however it certainly depends on how many requests you have.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.