DDOS by several IPs with one connection [duplicate]

As Niall mentioned, mod_evasive works really well in this situation and I recently used it to stop a very similar problem I was having on one of my sites. It helps in the situation where you aren't receiving a ton of connections on a single IP but you do see unnatural patterns occurring on the server.

In my case, which I also blogged about here, I installed mod_evasive and configured it with the following settings:

<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 3
DOSSiteCount 100
DOSPageInterval 3
DOSSiteInterval 5
DOSBlockingPeriod 300
DOSLogDir "/var/log/httpd/modevasive/"
DOSEmailNotify [email protected]
</IfModule>

Basically, if a single IP requests the same resource (file) 3 times within 5 seconds; or 100 hits on any file within 5 seconds; Apache will then deny further requests to that file.

If you want to enhance this script; you can have system commands triggered when your parameters are hit. In my case, I added this command to the configuration above:

DOSSystemCommand "/usr/bin/sudo /usr/sbin/csf -td %s 3600"

This makes my firewall CSF block the IP for an hour. You could just as easily write an iptables script to do the same thing, but CSF makes it easy for me.

Anyway hope that helps you nail your DDOS attackers!

You can use iptables to limit the number of connections per IP to the service in order to mitigate the DDoS until your iptables script catches them

iptables -A INPUT -p tcp -m limit --limit 3/s --dport DESTINATIONPORT --limit-burst 10 -m state --state NEW -j ACCEPT

This will limit new connections to 3 per second per with a maximum burst of 10 connections.

Be sure to fine tweak this to your needs, 3 connections per second is quite low depending on the traffic your server is running

Presuming that you're running Apache, mod_evasive might be useful.