How do you mitigate Apache DDoS on one domain index page?

postcd

Well-Known Member
Oct 22, 2010
720
20
68
Hello,

many IPs visitting one hosted domain index page (/)
So it is ddos to bring down Apache i think.

It seems to be too many subnets from all around the world, from random ports. Without ipset i may block something. But what do you do when you have this kind of attack?

When i suspended account, load went from 190.00 to 2.40 which is 1.00 above average. There was still around 5000 connections on port 80.

So which steps to do to unsuspend target cpanel and be able to handle attack?
suspend: /scripts/suspendacct cpanelusername
unsuspend: /scripts/unsuspendacct cpanelusername

To get possible bad IPs, i did:
cat /usr/local/apache/domlogs/TARGETCPUSER/TARGETDOMAIN.TLD|awk '{print $1}' | sort -nk1 | uniq -c | sort -nk1 > /home/MYCPANEL/www/ips.txt
(first row are number of occurrences in access log, second is IP)

PS: is there any command or tool that i can use to gather undeniable proof of the DDoS needed for IP owners to suspend services on that IP/s?
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463