Is there something that I can use to set rules for Apache to throttle temporarily or ignore any IP address that makes X number of requests per second?
It would be great if there is an Apache module for this. I had a look at mod_bandwidth
and mod_limitipconn
but it seems they base things on bandwidth which is very hard for me to determine bandwidth in terms of number of requests per IP.
I would be happy to use something external to Apache that will work on a standard Linux server (Fedora or CentOS).
iptables
has rate- and connection-limiting modules available:Note that this won't actually limit the number of HTTP requests; it'll limit the number of TCP connections, which might not correspond to the number of HTTP requests if the browser is using keepalive. Also note that most browsers will make a large number of parallel connections; you might want to use the
--limit-burst
option to make sure users don't get blocked by this behaviour.