Hello my friends
I have a DDOS problem, the attack occurs by sending a series of requests - for a long time,
That takes all of my VPS resources
so its deny the server from serving any users/visitors.
all requests logs in access_log of Apache, and its normal requests

-first time I do Firewall the range of IPs that used to make this attack
-but after a while (2weeks) the attack comes back with new range of IPs (all IPS used were static and some of them are in blacklist)
-I installed mod_evasive and mod_security of apache,

but they can not stop this type of attach as well.

please help to solve this problem...

thanks and regards

what kind of requests? web? or just packets?

does it bring your vps down because of the bandwidth or processing time of the request?

what do you have... apache? mysql?

if apache, have you looked into mod_cband?
http://www.howtoforge.com/mod_cband_apache2_bandwidth_quota_throttling

Dear 'sob' Thank you very much for help and



its a web requests, ie urls



I get my 4 CPUs in 100% usage
and get all allowed Apache MaxSpareServer ( 8 ) works



Apache, mysql, and php, all serve Drupal CMS

and about mod_cband, I have not used it, because thinking that its CPU/process problem
and I will left this VPS for 1 website

Thank you very much for help
regards

the excessive CPU consumption comes from too many requests, so you need to be able to limit the amount of request per IP (again, look at mod_throttle/mod_cband to do that, I'm not an expert on either but I'm sure that would help)

how many IPs are attacking you at the same time?

if you're facing DDOS where the number of IPs initiating the attack is large, then it's a much harder problem

If you weren't using Drupal I would tell you to add some PHP code to handle excess requests from one IP (prohibiting a call to a page from the same IP withing 1s for example).

But as you're using Drupal, it may not be that easy (I'm not familiar with Drupal). Maybe there are Drupal modules (or whatever they're called) to enforce such limitations?

Dear 'sob' Thank you very much for your help



yes That's exactly what I see using "htop" to monitor CPU and "tail -f acces_log" to see requests

so I will install mod_throttle/mod_cband and hope that help,
but are there a suitable configurations can I set them up to those modules?



them were not much ie. the first attack was using the range
"--src-range 196.219.224.1-196.219.224.254"
and I firewall it

and will looking for drupal module can adjustment IP-limitation functions

Thank you very much and regards

you need to read the doc on mod_throttle and mod_bandwidth and adjust the configuration to your needs

it's not only a matter of "installing and hoping it helps" unfortunately

I will try and Thank you very much for you help
best regards