Why are we apache users still victims of DDOS attacks and having root server rental support telling us "It is you responsibility to secure your server". When did you hear about the first dos attack? Back in the 90's? And it is still not solved? This piss me off beyond belief.

And now, after trying to fix this on my Suse 10.1 distro I am stuck at
never ending dependency problems.

My suse version: Linux version 2.6.16.21-0.25-smp (geeko@buildhost) (gcc version 4.1.0 (SUSE Linux))

I run a small gaming community and I just don't have time on my own to fix this. I know for a fact that one particular person used a botnet to attack my forum just to prove "he could".

On July 30 '08 all of my webbys was unreachable because of syn flood attacks

And the actual targetted url:

I contacted support who adviced me to:

This seemed to stop the syn flooding at least but the ddos attack on the forum kept going. I temp solved it by not using port 80. Shortly before this I moved the webbys to port 80 and was quite happy about that .

Next step was to find evasive actions against ddos and found mod_evasive. Sounded good and i downloaded mod_evasive_1.10.1.tar.gz.

Next issue. apache2-devel is missing in my distro. Looked in Yast and it was nowhere to find so I installed apache2-devel-2.2.2-1

And now when i try and compile the module I get

Right! It is in apr-devel, also missing.
And this needs which needs rtld(GNU_HASH).

And according to Lenard in this forum

Conclusion

DEAD END

To me this feels like a dead end if I'm not switching to another distro which have whats needed to run mod_evasive. And after reading peoples reviews of mod_evasive there is no garantee it will work.

I have quite a lot of data, and I'm so to speak cornered. I can chose to make a fresh install of another distro, but no clue where to put all the stuff meanwhile as it will whipe the server clean.

If you have any advice for me I would appreciate it a lot. I don't know, I'm a newbie and may have missed something. But to me it seems extremelly weird that ddos is still possible on Apache servers still. And the counter measures would be like switching your entire car just because you need a little engine part for safe driving .

Thx for listening to my confession, now it feels much better .

http://serversupportforum.de/forum/f...r-apache2.html
it's german - but is talks about that you have to run different commands depending on what version of apache you are using
look at point 6.)
I have no idea and never even used apache - but this sounds like a possible way to a solution. (Apache2-Prefork vs. Apache2)

have you set this in /etc/sysctl.conf ?

It did that automatically. Look at the top of his post.

There's very little that you can do to stop a DDoS any way. By the time the traffic hits you, it doesn't matter much if your server(s) can handle it, it will have already filled up your bandwidth making other requests time-out.

The only way to real block DDoS attacks is with up-stream filtering, but again that's rather tricky since the attack packets look just like normal HTTP requests (if done correctly).

It would be convenient with a couple of ip's and some dynamic dns magic that switch between ip's when some ddos attacks occur. But in my case it wasnt the ip that was targetted but a domain.

You mean OS fingerprinting? I asked about that and the provider's reply was:

That might help, but if your site is being deliberately targeted I would imagine the attacker would be on to you real quick.

OS fingerprinting could definitely be part of the detection scheme, but usually it will take much more than that to separate real traffic from DDoS traffic - especially if you want to do so with a decent level of accuracy. As chort said, doing this sort of thing right is tricky. It takes certain skills and resources which your provider seems to lack. BTW, if you read about some of the really big companies' countermeasures during DDoS attacks you'll see that many of them instead opt for purchasing vast amounts of temporary bandwidth at multiple geographic locations until the attack subsides (or until they are able to take permanent measures upstream, which can take longer to come-up with than they can afford to wait, depending on the attack).

Would dotdefender be of any use?
Anyone have any experience of it on Apache and ddos attacks?

And another thing. As I understand it's quite easy for script kiddies to get hold of and host a common irc botnet.
I find it odd that the big irc networks can't monitor irc controlled botnets. Aren't most of them using same signals to the zombies to invoke an attack and stop an attack?

But honestly, I had no clue how big this problem actually is, not just for me.
From networkworld

Still a dead end I guess. Nothing a private run server can do about it except switching ip's and domains and riding it out and hope it ends. Thx for your replies and helping me get some more insight into it .

A quick look at their website gave me the impression it has nothing to do with anti-DDoS.

If switching IPs/domains was such a sure-thing then you wouldn't see big companies spending hundreds of thousands of dollars during a DDoS. That said, it really depends on your attacker and you'd need to try it to know whether it'll work for you or not. If it's a small-time botnet and the determination to keep your service denied is low, then yeah that might work. As for the comment you quoted about needing to take care of things at the ISP, don't forget that that applies specifically to bandwidth DDoS attacks. If the reason your service is being denied is because your servers are being overloaded with bogus requests, yet your connection isn't totally saturated, then you can indeed take measures on your side. AFAICT you never did state precisely how your service was being denied.