How Does Apache mod_evasive Protect Against DDoS?
Apache mod_evasive is an open-source module designed to
protect web servers from Distributed Denial of Service (DDoS), Denial of
Service (DoS), and brute-force attacks. It accomplishes this by
monitoring incoming requests and temporarily blocking IP addresses that
exceed predefined thresholds for page requests or concurrent
connections. By detecting and mitigating these traffic spikes at the web
server layer, mod_evasive prevents malicious traffic from
depleting server resources, ensuring that legitimate users retain access
to the website.
How mod_evasive Detects Malicious Traffic
The module relies on an internal dynamic hash table to track IP addresses and their request patterns. It evaluates incoming traffic against three main criteria:
- Page Request Thresholds: Requesting the same page too many times per second.
- Site-Wide Request Thresholds: Requesting too many different pages across the entire site per second.
- Concurrent Connections: Initiating too many simultaneous connections from a single source.
If an IP address breaches any of these configured limits,
mod_evasive flags the behavior as a potential attack and
immediately triggers its defensive mechanisms.
The Mitigation Process
Once an IP address is flagged, mod_evasive takes
immediate action to protect the Apache server:
- 403 Forbidden Response: The module intercepts
requests from the offending IP and returns a
403 Forbiddenerror. This consumes significantly less bandwidth and processing power than serving a standard webpage. - IP Blacklisting: The IP is added to a temporary internal blacklist. The duration of this block is configurable via a blocking period timer.
- Timer Reset on Persistent Attacks: If the attacking
IP continues to flood the server while blocked,
mod_evasiveresets the blocking timer, extending the ban until the malicious traffic subsides. - System Notifications: The module can be configured to log the event via system logs (syslog) or send an automated email notification to the system administrator, providing details about the source IP and the nature of the attack.
Core Configuration Directives
Administrators can fine-tune mod_evasive through
specific directives in the Apache configuration file to balance security
and user experience:
| Directive | Description |
|---|---|
| DOSPageCount | The maximum number of requests for the same page allowed within the
DOSPageInterval. |
| DOSSiteCount | The total number of requests allowed across the entire website
within the DOSSiteInterval. |
| DOSPageInterval | The time window (in seconds) used to measure the page request threshold. |
| DOSSiteInterval | The time window (in seconds) used to measure the total site request threshold. |
| DOSBlockingPeriod | The duration (in seconds) for which an offending IP address will be blocked. |
Limitations and Best Practices
While mod_evasive is an effective tool for mitigating
smaller, application-layer DoS attacks and script-driven brute-force
attempts, it has limitations against massive, highly distributed
volumetric DDoS attacks that can saturate network bandwidth before
reaching the web server. Because it operates at the software level, it
still utilizes some server CPU and memory to reject requests. For
comprehensive security, it is best utilized as a first line of
host-based defense alongside network-level firewalls, intrusion
prevention systems, and reverse-proxy Content Delivery Networks
(CDNs).