I have a website on two apache servers and nginx as reverse proxy and i want to test the performance of the apache after the load balancing, after searching around i found out that what i want is layer 7 ddos (distributed denial of service) so far i tried a few tools like:LOIC, swithblade4 using windows, andyloris,slowhttptest,torshammer,rudy using kali linux and NO LUCK! while doing the attack i was opening the cpu usage of the nginx machine and the apache, the nginx goes down like 91% and the apache like 97% !!
Is there certain configuration that i should change on the apache or nginx

Hi hassanshams,

Welcome to the forum!

For DDoS there are a few tricks, like limiting the number of connections per IP, syn cookies, directing legitimate traffic to a certain high port before allowing it to the main page, and using iptables to check if the IP in question has triggered the high port you're using.

There are also hundreds of queueing and balancing methods. It just depends on how you want to do it. https://javapipe.com/ddos/blog/iptab...os-protection/

While AwesomeMachine gives some good advice the problem with an external DDoS attack is that the traffic will be coming down and congesting your link before any of the suggestions take place. If you've a 100Mb link and some scumbag throws 1Gb of traffic at it then that link will be saturated and all the filtering etc. that's in place behind your link will be effectively useless. The best method of DDoS mitigation is to use an external traffic "scrubbing" service that can handle large amounts of traffic and will only pass "clean" traffic through to your backend. These services aren't cheap, but depending on how available you need your site and how "attractive" it is as a DDoS target it may be worth it.