Mod_evasive 无法阻止使用 HEAD 请求的 DOS 攻击

Mod_evasive 无法阻止使用 HEAD 请求的 DOS 攻击

在 RHEL6 上使用带有 mod_evasive 配置的 Apache/2.2.15:

DOSHashTableSize    3097
DOSPageCount        14
DOSPageInterval     2
DOSSiteCount        70
DOSSiteInterval     1
DOSBlockingPeriod   60

不幸的是它没有阻止这次攻击,该攻击仅来自 1 个 IP:

207.xxx.xxx.xxx - - [14/Jun/2015:06:06:54 +0400] "HEAD / HTTP/1.1" 200 - "-" "some fake user agent"
207.xxx.xxx.xxx - - [14/Jun/2015:06:06:53 +0400] "HEAD / HTTP/1.1" 200 - "-" "some fake user agent"
207.xxx.xxx.xxx - - [14/Jun/2015:06:06:53 +0400] "HEAD / HTTP/1.1" 200 - "-" "some fake user agent"
207.xxx.xxx.xxx - - [14/Jun/2015:06:06:54 +0400] "HEAD / HTTP/1.1" 200 - "-" "some fake user agent"
207.xxx.xxx.xxx - - [14/Jun/2015:06:06:53 +0400] "HEAD / HTTP/1.1" 200 - "-" "some fake user agent"
207.xxx.xxx.xxx - - [14/Jun/2015:06:06:54 +0400] "HEAD / HTTP/1.1" 200 - "-" "some fake user agent"
207.xxx.xxx.xxx - - [14/Jun/2015:06:06:54 +0400] "HEAD / HTTP/1.1" 200 - "-" "some fake user agent"
207.xxx.xxx.xxx - - [14/Jun/2015:06:06:54 +0400] "HEAD / HTTP/1.1" 200 - "-" "some fake user agent"
207.xxx.xxx.xxx - - [14/Jun/2015:06:06:54 +0400] "HEAD / HTTP/1.1" 200 - "-" "some fake user agent"
207.xxx.xxx.xxx - - [14/Jun/2015:06:06:54 +0400] "HEAD / HTTP/1.1" 200 - "-" "some fake user agent"
207.xxx.xxx.xxx - - [14/Jun/2015:06:06:54 +0400] "HEAD / HTTP/1.1" 200 - "-" "some fake user agent"
207.xxx.xxx.xxx - - [14/Jun/2015:06:06:54 +0400] "HEAD / HTTP/1.1" 200 - "-" "some fake user agent"
207.xxx.xxx.xxx - - [14/Jun/2015:06:06:54 +0400] "HEAD / HTTP/1.1" 200 - "-" "some fake user agent"
207.xxx.xxx.xxx - - [14/Jun/2015:06:06:54 +0400] "HEAD / HTTP/1.1" 200 - "-" "some fake user agent"
207.xxx.xxx.xxx - - [14/Jun/2015:06:06:54 +0400] "HEAD / HTTP/1.1" 200 - "-" "some fake user agent"
207.xxx.xxx.xxx - - [14/Jun/2015:06:06:54 +0400] "HEAD / HTTP/1.1" 200 - "-" "some fake user agent"
207.xxx.xxx.xxx - - [14/Jun/2015:06:06:54 +0400] "HEAD / HTTP/1.1" 200 - "-" "some fake user agent"
207.xxx.xxx.xxx - - [14/Jun/2015:06:06:54 +0400] "HEAD / HTTP/1.1" 200 - "-" "some fake user agent"
207.xxx.xxx.xxx - - [14/Jun/2015:06:06:54 +0400] "HEAD / HTTP/1.1" 200 - "-" "some fake user agent"
207.xxx.xxx.xxx - - [14/Jun/2015:06:06:54 +0400] "HEAD / HTTP/1.1" 200 - "-" "some fake user agent"
207.xxx.xxx.xxx - - [14/Jun/2015:06:06:54 +0400] "HEAD / HTTP/1.1" 200 - "-" "some fake user agent"
207.xxx.xxx.xxx - - [14/Jun/2015:06:06:54 +0400] "HEAD / HTTP/1.1" 200 - "-" "some fake user agent"
207.xxx.xxx.xxx - - [14/Jun/2015:06:06:54 +0400] "HEAD / HTTP/1.1" 200 - "-" "some fake user agent"

Mod_evasive 确实有效,但在其他情况下会阻止某些 IP。它对 HEAD 请求不起作用吗?

编辑:我的 apache 正在以 prefork 模式运行。据我所知,mod_evasive 存在问题。

答案1

将变量修改为更低的值,14 确实很高。

DOSPageCount 3

由于攻击来自同一位置,因此您可以禁止该 IP 地址。

sudo iptables -t raw -I PREROUTING -s 207.x.x.x/32 -j DROP

或者您可以安装 mod_security,进行设置并将“一些虚假的用户代理”添加到 bad_robots.data 文件中,它将受到 401 禁止的欢迎。

笔记

DDoS 攻击的目的是消耗带宽和资源。您可以禁止某个 IP 地址,使用 mod_evasive 将其锁定,或使用 401 拒绝其请求。这些方法都无法阻止 DDoS。DDoS 将继续消耗您的所有带宽,同时仍使您的设备处于离线状态。最好的方法是联系您的 ISP,并要求他们将违规 IP 列入黑洞,或联系 DDoS 缓解服务(如 cloudflare)。您所做的其他任何事情都无法阻止 DDoS。

如果您持续遭受 DDoS 攻击,请使用 DDoS 缓解服务。前面提到的方法都无法阻止 DDoS。

相关内容