Protect Against DoS & DDoS with mod_evasive For Ubuntu

Share It!

The mod_evasive Apache module, some time ago known as mod_dosevasive, ensures against DoS, DDoS (Distributed Denial of Service), and brute force attacks on the Apache web server. Denial-of-Service (DoS) attack is an endeavor to make a machine or network resource occupied to its proposed users, such as to temporarily or indefinitely interrupt or suspend services of a host associated with the Internet. A distributed denial-of-service (DDoS) is the place the attack source is more than one–and frequently a great many one of a kind IP addresses.
Protect Against DoS & DDoS with mod_evasive

What is mod_evasive?

mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.

Types of DDoS Attacks:

There are three types of DDoS attacks:

  • A volumetric attack, completed by overflowing the available bandwidth;
  • A traffic attack, done by abusing the available system resources;
  • An application attack, executed by exhausting the available system resources.

    A web hit request comes in. The following steps take place:

  • The IP address of the requestor is looked up on the temporary blacklist.
  • The IP address of the requestor and the URI are both hashed into a “key”. A lookup is performed in the listener’s inner hash table to figure out whether the same host has requested for this page more than once inside of the previous 1 second.
  • The IP address of the requestor is hashed into a “key”. A lookup is performed in the listerner’s inner hash table to figure out whether the same host has asked for more than 50 objects inside of the previous second.
  • In the event that any of the above are valid, a 403 response is sent. This rations data transfer bandwidth and system resources in the case of a DoS attack. Moreover, a system command and/or an email notice can likewise be activated to piece all the originating addresses of a DDoS attack.


    mod_evasive has only one prerequisite. To install this module, simply run the following command:

    # sudo apt-get install apache2-utils

    Install mod_evasive

    mod_evasive package comes in the Ubuntu official repository, run following command to install it

    # sudo apt-get update
    # apt-get install libapache2-mod-evasive

    Setting up mod_evasive

    mod_evasive configuration file is located at /etc/apache2/mods-available/. Now we will be editing mod_evasive configuration file and do changes as below:

    # vim /etc/apache2/mods-available/evasive.conf
    DOSHashTableSize    2048
    DOSPageCount        5
    DOSSiteCount        100
    DOSPageInterval     1
    DOSSiteInterval     2
    DOSBlockingPeriod   10
    #DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'"
    DOSLogDir           "/var/log/evasive"

    mod_evasive Configuration Options

    The mod_evasive configuration option description as below:

  • DOSHashTableSize:
    The hash table size defines the number of top-level nodes for each child’s hash table. Expanding this number will give faster execution by decreasing the number of iterations required to get to the record, however will devour more memory for table space. It is advisable to expand this parameter on substantial load web servers.

  • DOSPageCount:
    This sets limit for aggregate number of hits on same page (or URI) per page interval. When this threshold is reached, the client IP is locked out and their requests will be dumped to 403, adding the IP to blacklist.

  • DOSSiteCount:
    This sets the limit for aggregate number of request on any object by same client IP per site interval. When this limit is reached, the client IP is added to blacklist.

  • DOSPageInterval:
    The page count interval, accepts real number as seconds. Default value is 1 second

  • DOSSiteInterval:
    The site count interval, accepts real number as seconds. Default value is 1 second

  • DOSBlockingPeriod:
    This order sets the amount of time that a client will be blocked for if they are added to the blocking list. During this time, every single request from the client will bring about 403 (Forbidden) response and the timer will be reset (e.g. for an additional 10 seconds). Since the timer is reset for each request, it is not important to have a long blocking period; in the case of a DoS attack, this timer will continue getting reset.

  • DOSEmailNotify:
    This is an E-mail if provided will send notification once an IP is being blacklisted

  • DOSSystemCommand:
    This is a system command that can be executed once an IP is blacklist if enabled. Where %s is the blacklisted IP, this is designed for system call to IP filter or other tools

  • DOSLogDir:
    This is a directory where mod_evasive stores it’s log

    As you’ll replace with your email. Since mod_evasive doesn’t create the log directory automatically, we are to create it for it:

    # mkdir /var/log/evasive
    # chown www-data:www-data /var/log/evasive
    # chmod 771 /var/log/evasive

    Enable evasive module using following command:

    # a2enmod evasive

    Restart Apache for changes to take effect

    For Ubuntu 15.04/15.10
    # systemctl restart apache2
    For Ubuntu 14.04/14.10
    # service apache2 restart

    Testing mod_evasive Setup

    Now we will send bulk requests to the server using following command:

    # ab -n 100 -c 10
    This is ApacheBench, Version 2.3 <$Revision: 1528965 $>
    Copyright 1996 Adam Twiss, Zeus Technology Ltd,
    Licensed to The Apache Software Foundation,
    Benchmarking (be patient).....done
    Server Software:
    Server Hostname:
    Server Port:            80
    Document Path:          /
    Document Length:        0 bytes
    Concurrency Level:      10
    Time taken for tests:   152.708 seconds
    Complete requests:      100
    Failed requests:        0
    Total transferred:      0 bytes
    HTML transferred:       0 bytes
    Requests per second:    0.65 [#/sec] (mean)
    Time per request:       15270.825 [ms] (mean)
    Time per request:       1527.083 [ms] (mean, across all concurrent requests)
    Transfer rate:          0.00 [Kbytes/sec] received
    Connection Times (ms)
                  min  mean[+/-sd] median   max
    Connect:        1    3   2.3      2      12
    Processing: 15222 15259  23.0  15253   15321
    Waiting:        0    0   0.0      0       0
    Total:      15226 15261  22.7  15256   15324
    Percentage of the requests served within a certain time (ms)
      50%  15256
      66%  15274
      75%  15280
      80%  15284
      90%  15294
      95%  15300
      98%  15310
      99%  15324
     100%  15324 (longest request)
    # ls -l /var/log/evasive
    -rw-r--r-- 1 www-data www-data 5 Dec 15 22:10 dos-

    Enjoy it!

  • Leave a Reply

    Your email address will not be published.