Thanks so much for this really useful and helpful post. I have installed Apache 2.2.6, which seems to be working faster.
Firstly, I have installed dos_evasive and tuned the timeout and MaxClients stuff. Here are my settings from httpd.conf:
Timeout 15
KeepAlive On
MaxKeepAliveRequests 125
KeepAliveTimeout 2
MinSpareServers 16
MaxSpareServers 32
StartServers 5
MaxClients 250
MaxRequestsPerChild 500
LoadModule security2_module modules/mod_security2.so
LoadModule auth_passthrough_module modules/mod_auth_passthrough.so
LoadModule bwlimited_module modules/mod_bwlimited.so
#---- EVASIVE MODULE
LoadModule evasive20_module modules/mod_evasive20.so
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 100
DOSLogDir "/var/log/apache/mod_evasive"
#---- DEFLATE MODULE
LoadModule deflate_module modules/mod_deflate.so
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/x-httpd-php application/x-javascript
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
SetOutputFilter DEFLATE
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary
Header append Vary User-Agent env=!dont-vary
Secondly, I have also installed the "(D)Dos Deflate" thing from medialayer:
http://deflate.medialayer.com/
Thirdly, I have installed Chirpy's CSF/LFD and enabled people who connect more than 150 times per minute to be blocked, plus I have enabled the new "Syn Flood" feature with a "5/s" timing thing. Is there a better tool for blocking Syn Floods?
Fourthly, I have also installed "atop" instead of top, and I can tell now which processes are taking the most amount of memory and resources. PLus there is that netstat command to see how many TCP/Syn connections are active.
Fifthly, I have installed the new mod_sec2, and installed many rules from gotroot.com -- including blacklisting of common compromised boxes, common rootkit attacks, common spambots etc.
The server seems to be much better now. Apart from these precautions, anything else you can think of that I can use to *prevent* DDoS attacks?
So many thanks for the info!