|
All network servers can be subject to denial of service attacks that attempt to prevent responses to clients by tying up the resources of the server. It is not possible to prevent such attacks entirely, but you can do certain things to mitigate the problems that they create.
Often the most effective anti-DoS tool will be a firewall or other operating-system configurations. For example, most firewalls can be configured to restrict the number of simultaneous connections from any individual IP address or network, thus preventing a range of simple attacks. Of course this is no help against Distributed Denial of Service attacks (DDoS).
There are also certain Apache HTTP Server configuration settings that can help mitigate problems:
TimeOut
directive
should be lowered on sites that are subject to DoS attacks.
Setting this to as low as a few seconds may be appropriate.
As TimeOut
is currently
used for several different operations, setting it to a low value
introduces problems with long running CGI scripts.KeepAliveTimeout
directive may be also lowered on sites that are subject to DoS
attacks. Some sites even turn off the keepalives completely via
KeepAlive
,
which has of course
other drawbacks on performance.LimitRequestBody
,
LimitRequestFields
,
LimitRequestFieldSize
,
LimitRequestLine
,
and
LimitXMLRequestBody
should be carefully configured to limit resource consumption
triggered by client input.AcceptFilter
directive
to offload part of the request processing to the operating
system. This is active by default in Apache httpd, but may
require reconfiguration of your kernel.MaxClients
directive to allow
the server to handle the maximum number of simultaneous
connections without running out of resources. See also the performance
tuning
documentation.event
mpm
uses asynchronous processing to avoid devoting a thread to each
connection. At the current point of time this
is work in progress and not fully implemented. Especially the
event
mpm is currently incompatible with
mod_ssl
and other input filters.