Mod_Evasive

Mod_evasive is an old outdated apache module
it does not any real protection against dos attacks

 

trying to use fcgi and getting use to it is much better
as it cache every compiled php into memory with a period and serve every thing from the memory will more usefull
try compiling apache with fcgi Ea-accelerator mem-cache mpm_worker

and change apache handler after the compilation to the fcgi

that would do much better in case of bot net or usual dos attacks
in the case of a dos flood it wouldn't be any thing you could do with the server level nore you could do on the firewall just need additional port to handle

Thanks

 

It would be extremely difficult to trip mod_evasive via page refreshes unless you set the limits
on your mod_evasive configuration ridiculously low.

You did remember to actually configure mod_evasive, right?

mod_evasive is more for higher massive automated requests and is old but still has some practical use but is of no value whatsoever if you fail to configure the module.

A better rate throttle control for Apache however would be the newer mod_qos module which does a lot more.

If you want to look into a bit lower level control, it is possible to rate limit control access at the TCP/IP level using iptables though this gets into a little bit more advanced firewall rules and configurations.

CSF/LFD also has a great many features built in for controlling excessive or abusive traffic. However, just like mod_evasive these features are not working by default and you need to actually configure them in /etc/csf/csf.conf.

 

mod_qos + CSF can work together based on the rate of DDOS attack. I know a DDOS victim on which I had configure mod_qos and configured CSF to work with it. But it cannot generate any firewall rules due to the apache logs ( for qos ) was generated faster than CSF could read...so CSF couldn't help me during that situation.

 

DDoS attack? Yes, those generally suck for lack of a better word!

Packet analysis should help you identify the unique characteristics of the attack and once you have that, you can just simply drop those packets regardless of IP originating source. I've killed more than a few DDoS attacks that way and the cool thing is there is no option for adding on new attack servers or changing IPs for the attacker.

The added SPI layer does slow the server a bit but no where near as much as letting the DDoS attack through.