While the web has lost much of its Wild West flavor over the last few years, there’s still a large underbelly filled with individuals who will happily attack the more productive members of the online ecosystem. Whatever the motivations of these attackers, all website owners need to be aware of the potential risks and strategies for remediation.
Apache is the world’s most popular web server, and so is under constant threat of hacks and denial of service attacks. The first of these problems can be handled by staying abreast with the latest security news, keeping an eye on a server’s logs, and ensuring that patches and updates are applied in a timely fashion. The second issue, denial of service attacks is a more difficult problem. From the perspective of a web server, a denial of service attack is hard to distinguish from an ordinary traffic spike. Both will cause Apache to spawn more processes and use more resources than a server has to spare — resulting in a slow or unavailable site.
Fortunately, there are a number of Apache modules that can be integrated with the web server to provide some measure of protection against DDoS attacks and other attacks that seek to exploit weaknesses in Apache.
You can think of mod_security as a firewall for Apache. Just like any other firewall, it monitors incoming connections to a server and the requests carried by those connections. If it notices patterns that conform to an attempt to exploit known vulnerabilities: an SQL injection attack, for example, mod_security can block the connection.
Mod_evasive calls itself an “evasive maneuvers” module. What that means in practice is that it is capable of monitoring the IPs making requests of a server, and the URIs they are requesting and block connections that appear to be doing something shady. For example, mod_evasive can be configured to block IPs requesting the same resource more than a few times a second or that make excessive requests of any IP. Mod_evasive is designed to block suspicious connections indicative of a DDoS attack without blocking genuine connections.
QOS stands for quality of service. Denial of service attacks attempt to degrade the quality of service to the point at which a site becomes unusable. This module has some crossover with mod_evasive, in that both of them attempt to mitigate the effects of DDoS attacks, but mod_qos is also useful for maintaining some quality of service during traffic spikes. Mod_qos manages connections to determine which requests should be honored; it can manage the maximum number of concurrent requests to a URL, limit the bandwidth available for requests for a specific URL and the number of requests, and rate limit client requests across all URLs.
Many of the major DDoS mitigation services use some or all of these modules to keep sites safe, but there’s no reason server and site owners shouldn’t take control of their own security and install these effective security modules.