Securing Web Servers from DoS attacks entirely is not possible. However, we can limit the Dos and DDos attacks on Apache.
A distributed denial of service (DDoS) attack is when an attacker, or attackers, attempt to make it impossible for a service to be delivered.
This can be achieved by thwarting access to virtually anything: servers, devices, services, networks, applications, and even specific transactions within applications.
In a DoS attack, it's one system that is sending the malicious data or requests; a DDoS attack comes from multiple systems.
Generally, these attacks work by drowning a system with requests for data. This could be sending a web server so many requests to serve a page that it crashes under the demand, or it could be a database being hit with a high volume of queries.
The result is available internet bandwidth, CPU and RAM capacity becomes overwhelmed.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related Apache queries.
In this context, we shall look into methods to secure Web Servers from DoS attacks.
There are three primary classes of DDoS attacks:
1. Volume-based attacks use massive amounts of bogus traffic to overwhelm a resource such as a website or server. They include ICMP, UDP and spoofed-packet flood attacks. The size of a volume-based attack is measured in bits per second (bps).
2. Protocol or network-layer DDoS attacks send large numbers of packets to targeted network infrastructures and infrastructure management tools. These protocol attacks include SYN floods and Smurf DDoS, among others, and their size is measured in packets per second (PPS).
3. Application-layer attacks are conducted by flooding applications with maliciously crafted requests. The size of application-layer attacks is measured in requests per second (RPS).
For each type of attack, the goal is always the same: Make online resources sluggish or completely unresponsive.
A DoS attack is an attempt to block a machine or network resource from accessing it by end-users.
In short, a temporary or indefinite interruption of the services of a host connected to the internet by attacking the network.
Now, lets take a look at methods we employed to prevent such attacks.
1. Update the Apache Version
First things first, we must ensure that we update the Apache to its latest version.
It is necessary to prevent attacks from known exploits only because of being outdated.
2. Optimize the Apache
Then we need to optimize default Apache configurations.
i. Lower The Apache Timeout :
The "Timeout" directive value must be lower than the default value "300" on the whole server or on the websites subjected to the Dos attack.
Since TimeOut is used for different operations, setting it to a low value can introduce problems with long running CGI scripts. So we should be careful about setting the Timeout value.
ii. Lower The Apache KeepAliveTime :
This directive is also set to be low on the sites that are subject to dos attack or on the whole server.
Some sites will go ahead and turn off the keepalives completely via KeepAlive. This results in other drawbacks on performance.
iii. Limit the Apache MaxClients:
If our server runs with low RAM and if the attackers consume most of the RAM, we can limit the number of Maxclients to a low value than the predefined value of 256.
iv. Limit RequestReadTimeout :
This directive allows us to limit the time a client may take to send the request.
3. Install a Firewall
We can install a firewall to limit the connections from an IP. By doing so, if a connection exceeds the predefined value, the firewall will automatically block that IP permanently or temporarily for a period of time.
The most common firewalls in Linux servers are CSF & LFD. We can enable the CT_Limit and set its value to the desired number to avoid DoS attacks.
4. Install Third-party modules
There are a number of third-party modules which can restrict DoS attacks.
i. mod_dosevasive :
A module for Apache to perform evasive action in the event of an HTTP DDoS attack or brute force attack.
It is a web application firewall (WAF). It acts as a filter and analyzes HTTP requests before the webserver handles them.
In addition, it provides protection from a range of attacks and allows for HTTP traffic monitoring and real-time analysis.