mod_evasive is ineffective, don't put too much hope on it as real DDoS attacks cannot be stopped. Same thing is valid for Nginx or other similar DDoS software. No matter what you do or have in place, is very hard to stop a good DDoS attack unless you have proper hardware infrastructure which costs a lot of money. I remember that CloudFlare learned a lot from the DDoS attacks performed on their infrastructure by hackers, they blogged about it and told everyone how exhausting was on resources. Therefore, don't even bother with those software gimmicks telling you they can stop an attack because they cannot.
well i want to at least make things harder for them most attacks that i get are from zombie bot net attacks and they should be simple to block i need modules which detect these attacks such as once a certain amount of concurrent connections are made from a single ip it auto gets black listed and blocked by a fire wall therefore blocking access to the attacker.
i know about slow iris ans syn attackers i have those covered. but i need something such as mod_evasive to help detect ips that request to many connections and block them instead. yes there will be false positives. but if run on a timer then that is ok.
i know for a fact a normal user cannot hit 50 concurrent connections within 5 seconds but i bot net attack or regular dos attack could. because from what i studied from the access logs i had multiple ip's with 50 or more connections to my site. and i found this out comparing them with the regular usage of my site. i saw the ip and the infected url the site that was attacking me.
EG:
79.170.40.38 - - [09/Mar/2014:23:03:29 +1100] "GET / HTTP/1.1" 500 33060 "-" "WordPress/3.7.1;
http://www.humanperformanceclinic.com"
91.196.124.227 - - [09/Mar/2014:23:03:29 +1100] "GET / HTTP/1.1" 500 33060 "-" "WordPress/3.8.1;
http://runabout.eu"
79.170.40.38 - - [09/Mar/2014:23:03:29 +1100] "GET / HTTP/1.1" 500 33060 "-" "WordPress/3.7.1;
http://www.humanperformanceclinic.com"
91.208.99.2 - - [09/Mar/2014:23:03:33 +1100] "GET / HTTP/1.1" 200 33060 "-" "WordPress/3.5;
http://catsthatblog.com"
91.189.43.102 - - [09/Mar/2014:23:03:30 +1100] "GET / HTTP/1.1" 200 33060 "-" "WordPress/3.2.1;
http://nielsbosma.se"
91.196.124.227 - - [09/Mar/2014:23:03:29 +1100] "GET / HTTP/1.1" 500 33060 "-" "WordPress/3.8.1;
http://runabout.eu"
91.189.43.102 - - [09/Mar/2014:23:03:33 +1100] "GET / HTTP/1.1" 200 33060 "-" "WordPress/3.2.1;
http://nielsbosma.se"
37.230.110.57 - - [09/Mar/2014:23:03:30 +1100] "GET / HTTP/1.1" 200 33060 "-" "WordPress/3.8.1;
http://www.hakkiceylan.com"
79.170.40.38 - - [09/Mar/2014:23:03:31 +1100] "GET / HTTP/1.1" 500 33060 "-" "WordPress/3.7.1;
http://www.humanperformanceclinic.com"
213.162.241.2 - - [09/Mar/2014:23:03:29 +1100] "GET / HTTP/1.1" 200 33060 "-" "WordPress/3.4.2;
http://crayoncrisis.com"
91.208.99.2 - - [09/Mar/2014:23:03:29 +1100] "GET / HTTP/1.1" 500 33060 "-" "WordPress/3.5;
http://catsthatblog.com"
41.203.18.62 - - [09/Mar/2014:23:03:35 +1100] "GET / HTTP/1.1" 500 547 "-" "WordPress/3.2.1;
http://www.efrogthemes.com"
79.170.40.38 - - [09/Mar/2014:23:03:30 +1100] "GET / HTTP/1.1" 500 33060 "-" "WordPress/3.7.1;
http://www.humanperformanceclinic.com"
these are infected url's i did a netstat scan and some of them had 50 or more connections from 1 ip.
so my best guest is why not install a filter that will auto detect this and block such connections if the limit is reached but i need a timer for it to time out so normal members do not get banned for no reason.
i had to manually block all the ip's i saw in the access log and then my site started to load just fine. so my software firewall works just fine.
yes true hardware is needed for much stronger attacks but i want to at least block the most common simple basic ones
