I have a number of EC2 servers on AWS running apache behind a load balancer (ELB). Every now and then some IP address abuses the API hosted on the EC2 servers and causes a denial of service. I have no access to the load balancer so I need to block access at the server's level.
I changed the apache access log to display IP's based on the X-Forwarded-For header provided by the load balancer (otherwise it just displays the load balancer's IP), so I can identify these IP's and block them (again by specifying the X-Forwarded-For) with something like:
<Directory api_dir>
SetEnvIF X-FORWARDED-FOR "1.1.1.1" DenyIP
Order allow,deny
allow from all
deny from env=DenyIP
</Directory>
However, this still means that I need to manually handle every attack, and my server suffers some downtime as a result.
What is the recommended way to automatically block attacks of repeated HTTP calls, based not on IP but on the Forwarded-For header coming from the load balancer.
Best Answer
You can do this with mod_evasive combined with mod_rpaf.
The former lets you limit by IP address (to stop DOS attacks, for example), the latter allows you to make the X-FORWARDED-FOR address appear as the IP, as discussed in the comments of the answer to this question.
(If mod_rpaf doesn't work for you, you'd have to hack the source of mod_evasive.)