DDOS attack

I just spent the last 6 hours countering a DDOS attack and to help you avoid my long search for a generic solution, I'll share it for reference purposes.

I am not providing details of the attacker here, since they might change tactics. In principle it was easy to counter the attacker, find the USER_AGENT and block them in .htaccess with a rule similar to:

RewriteCond %{HTTP_USER_AGENT} ^.*badguy* [NC]
RewriteRule ^.* - [F,L]

So, if you are under attack, check your access log and apply whatever string you find in the USER_AGENT that is effective and put that in the .htaccess and it will give you some peace of mind and time to apply a better solution. You should immediately see the CPU getting free again, or the rule did not work and you need to find a better string.

But that is not a structural solution, so my search went on. There are many list with bad user agents, so I tried that but allthough more effective than my first reaction, still not satisfiable.

I also tried connection rate limiting with iptables, but that doesn't seem to help against a DDOS attack since my attacker was smart enough to not overload the request per station and staid within the number of request a normal user would do, so I had to limit normal usage to make such a rule effective. That made such a rule basically impractible

PSAD wasn't helping either, since it had the same problem as iptables, to make psad effective I had to make the limits so tight a regular (heavy) user would suffer also. Dead end street again.

At last I found this beautifull script on github https://github.com/SpiderLabs/owasp-modsecurity-crs

You need to enable mod_security on apache first to be of any help. I already did that so the rest was fairly easy.

Include this in your apache conf, usually "/etc/httpd/conf/httpd.conf"

Include modsecurity.d/modsecurity_crs_35_bad_robots.conf
Include modsecurity.d/modsecurity_crs_40_generic_attacks.conf
Include modsecurity.d/modsecurity_crs_41_sql_injection_attacks.conf
Include modsecurity.d/modsecurity_crs_41_xss_attacks.conf
Include modsecurity.d/modsecurity_crs_42_tight_security.conf
Include modsecurity.d/modsecurity_crs_45_trojans.conf
Include modsecurity.d/modsecurity_crs_47_common_exceptions.conf
Include modsecurity.d/modsecurity_crs_49_inbound_blocking.conf

And you should be fine.

It will not only protect your website against DDOS attacks, but also against a lot of other malicious attacks. Elgg is also doing some stuff in the core and with htmlawed, but this script goes further. So I recommend using it.

And for the really smart guys, I know that blocking a very vicious attack, you need to go upstream since they will flood the available bandwith before your rules kick in. For a generic and legitimate solution for that, you need cooperation from your ISP (at the least) to be able to counter such an attack. This is a solution for the less complicated DDOS attacks.

If your ISP is not willing to help, my best suggestion is to fight fire with fire. Overload the attacking machines with more than 64.000 half open connections and the attacking systems IP stack will crash. Not a legit counter measure, but will break down the botnet one by one.