My server is under a Apache ddos attack right now. There's a ton of single ip addresses with 30+ connections.
When I use this SSH command:
netstat -n | grep ':80' | awk -F' ' '{print $5}' | awk -F':' '{print $1}' | sort | uniq -c | sort -n
I'm getting this:
30 69.144.146.74
31 190.216.242.195
31 92.20.224.127
34 24.127.224.73
37 197.34.29.122
37 85.225.133.82
38 108.29.62.196
38 86.95.44.115
40 66.62.146.84
40 94.123.91.147
46 24.117.238.91
48 70.112.112.127
48 71.58.158.150
48 75.65.172.192
51 99.127.238.167
52 99.98.74.66
53 107.7.34.66
54 95.238.27.3
I've black listed over 100 ip's already, but within 5 min. there's all new ip's with 50+ connections.
I have no idea what to do right now. Is there a way to only allow a ip address to have 1 connection at a time? Or, is there a firewall that can protect against this thing? I'm freaking out here, how can this be fixed? Thanks.
Best Answer
There are hardware / firewalls that can do this. Your option at the apache level is a feature called "throttling". There used to be a module for this, but it seems it's been removed.
https://stackoverflow.com/questions/7467183/throttling-requests-by-ip-address-on-apache