[Sysadmins] DDOS protection for web forum

Thomas Pedoussaut thomas at pedoussaut.com
Tue Sep 29 13:44:17 IST 2009

Kieran Tully wrote:
> I occasionally help admin a popular Irish web forum who are
> increasingly come under DDOS attack. I don't have much time to look at
> this but it appears to be a SYN flood to the http port. It's a
> dedicated web-server running apache 2 and Linux kernel 2.6.
If it's really a SYN flood, rather than a full TCP connect flood, check
that you have /proc/sys/net/ipv4/tcp_syncookies set to 1

> 1) Are there some quick configuration changes on the webserver that
> will reduce the impact of the attack?
If it's really a tcp connect attack, you can decrease the TimeOut
variable to something smaller than the default 300. 30 might be enough.
> The hosting company did add some iptables rules to blackhole the
> initial source but it's now moved to (what I assume is) a botnet.
> Are mod_evasive or mod_qos good options? Is there something in
> iptables or the kernel that can help adapt dynamically?
> 2) Are there alternatives to apache that would handle this better? All
> they need to serve are static files and PHP.
lighttpd and nginx comes to mind.
> 3) Are there any Irish hosting companies that do DDOS protection at
> the network level, e.g. ingress rate limiting, etc. ?
> 4) Are there legal or criminal routes to pursue if you can identify
> the initial attack source?
> Thanks for any suggestions,
> Kieran

More information about the Sysadmins mailing list