Monday, September 14, 2009

Mod_dosevasive for Apache2 on Windows

SkyHi @ Monday, September 14, 2009
Denial of service attacks are a pain. There’s a module you can use with Apache 2 called mod_dosevasive (or mod_evasive), written by Jonathan A. Zdziarski over at Nuclear Elephant. The module helps stop DoS attacks. It let’s you configure parameters that should not be surpassed. Let’s take a semi-detailed look at that module before you download a copy and dive into using it.

In the suggested default configuration it’ll block any IP that makes more than 2 requests for the same page in 1 second or less, plus any IP that makes more than 50 requests to the site in 1 second or less. When that happens that IP becomes blocked for 10 seconds.

While it’s written for Linux systems there is a Windows port available (based on version 1.8) put together by a guy named Steffen in the Netherlands. You can download a copy of mod_dosevasive for Windows from this Web site. Source code is included, and the configuration options are listed below. Be aware that based ona cursory examination of the source code it seems that Steffen disabled the email notification functionality, so that might not work. But the other features should, in theory.

Drop the DLL file into your Apache 2 modules directory and configure Apache to load it:

LoadModule dosevasive_module c:apache2modulesmod_dosevasive.dll

Be sure to insert the configuration directives in your Apache 2 configuration file too. A directive block might look something like this:

DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600

You can also include a few other directives:

DOSSystemCommand “do-this.bat %1″
DOSLogDir “c:templockmod_dosevasive”

Just remember that the email notification feature appears to be disabled in this Windows-based version of the module. That said, here’s what those parameters do, and here’s a link to Zdiarski’s mod_evasive site where you can download the current version for Linux (version 1.10.1 at the time of this posting), which contains a more extensive README file that you should probably take a look at.


The hash table size defines the number of top-level nodes for each child’s hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but consume more memory for table space. You should increase this if you have a busy web server. The value you specify will automatically be tiered up to the next prime number in the primes list (see mod_evasive.c for a list of primes used).


This is the threshhold for the number of requests for the same page (or URI) per page interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list.


This is the threshhold for the total number of requests for any object by the same client on the same listener per site interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list.


The interval for the page count threshhold; defaults to 1 second intervals.


The interval for the site count threshhold; defaults to 1 second intervals.


The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g. another 10 seconds). Since the timer is reset for every subsequent request, it is not necessary to have a long blocking period; in the event of a DoS attack, this timer will keep getting reset.

Whitelisting IP Addresses

IP addresses of trusted clients can be whitelisted to insure they are never denied. The purpose of whitelisting is to protect software, scripts, local searchbots, or other automated tools from being denied for requesting large amounts of data from the server. Whitelisting should *not* be used to addcustomer lists or anything of the sort, as this will open the server to abuse. This module is very difficult to trigger without performing some type of malicious attack, and for that reason it is more appropriate to allow the module to decide on its own whether or not an individual customer should be blocked.

To whitelist an address (or range) add an entry to the Apache configuration in the following fashion:

DOSWhitelist 127.0.0.*

Wildcards can be used on up to the last 3 octets if necessary. Multiple DOSWhitelist commands may be used in the configuration.