Mod_Dosevasive

first of all download  Mod_Dosevasive   form http://www.303030.com/downloads/dosevasive.zip

the file is not avilable on the internet probabily the owner may be go to commercial way so download it from the above link it support apache 2.2 and may work for other 

here is my working configration

LoadModule dosevasive22_module modules/mod_dosevasive22.dll

<IfModule dosevasive22_module>

    DOSHashTableSize    6097

    DOSPageCount        50

    DOSSiteCount        250

    DOSPageInterval     5

    DOSSiteInterval     1

    DOSBlockingPeriod   20

 DOSWhitelist    127.0.0.1

 DOSWhitelist    192.168.1.4

 DOSWhitelist    10.10.10.4

</IfModule>

am using apache 2.2 on windows 2008 please read the follwoing topic it will help you alot 

thanks every one

Mohamed Ali Elsayed 21/8/2010

In Chapter 4, "Configuring the httpd.conf File," we discussed the native Apache directives that can be configured to help mitigate the effects of a Denial of Service (DoS) attack. The directives included Timeout, KeepAlive, and KeepAliveTimeout. While these directives help with the performance of Apache and will lessen the impact of a DoS attack, there is another third-party module that is extremely effective.

What Is Mod_Dosevasive?

Mod_Dosevasive is an evasive maneuvers module for Apache whose purpose is to react to HTTP DoS and/or Brute Force attacks. It was developed by Jonathan Zdziarski and can be downloaded from his web site: http://www.nuclearelephant.com/. An additional capability of the module is that it is also able to execute system commands when DoS attacks are identified. This provides an interface to send attacking IP addresses to other security applications such as local host-based firewalls to block the offending IP address. Mod_Dosevasive performs well in both single-server attacks, as well as distributed attacks; however, as with any DoS attack, the real concern is network bandwidth and processor/ RAM usage. Keep this in mind as we discuss DoS attacks throughout this book.

Installing Mod_Dosevasive

As we discussed in Chapter 3, in order to implement Mod_Dosevasive as a DSO module, we can use the Apache apxs script. The Mod_Dosevasiveapplication comes with two different versions for Apache, one for the 1.3 version (mod_dosevasive.c) and one for the 2.0 version (mod_dosevasive20.c). The following command will compile, install, and activate the module:

# ./apxs -cia /tools/mod_dosevasive/mod_dosevasive20.c

/usr/local/apache/build/libtool --silent --mode=compile gcc -prefer-pic  -

DAP_HAVE_DESIGNATED_INITIALIZER -DLINUX=2 -D_REENTRANT -D_XOPEN_SOURCE=500 -

D_BSD_SOURCE -D_SVID_SOURCE -D_GNU_SOURCE -g -O2 -pthread -I/usr/local/apache/include

-I/usr/local/apache/include   -I/usr/local/apache/include   -c -o

/tools/mod_dosevasive/mod_dosevasive20.lo /tools/mod_dosevasive/mod_dosevasive20.c &&

touch /tools/mod_dosevasive/mod_dosevasive20.slo

--CUT--

--------------------------------------------------------------------

chmod 755 /usr/local/apache/modules/mod_dosevasive20.so

[activating module 'dosevasive20' in /usr/local/apache/conf/httpd.conf]

# grep mod_dosevasive /usr/local/apache/conf/httpd.conf

LoadModule dosevasive20_module modules/mod_dosevasive20.so

How Does Mod_Dosevasive Work?

Mod_Dosevasive identifies attacks by creating and using an internal dynamic hash table of IP Addresses to URIs pairs based on the requests received. When a new request comes into Apache, Mod_Dosevasive will perform the following tasks:

• 
  

  The IP address of the client is checked in the temporary blacklist of the hash table. If the IP address is listed, then the client is denied access with a 403 Forbidden.

  
  


• 
  

  If the client is not currently on the blacklist, then the IP address of the client and the Universal Resource Identifier (URI) being requested are hashed into a key. Mod_Dosevasive will then check the listener's hash table to verify if any of the same hashes exist. If it does, it will then evaluate the total number of matched hashes and the timeframe that they were requested in versus the thresholds specified in the httpd.conf file by the Mod_Dosevasivedirectives.

  
  


• 
  

  If the request does not get denied by the preceding check, then just the IP address of the client is hashed into a key. The module will then check the hash table in the same fashion as above. The only difference with this check is that it doesn't factor in what URI the client is checking. It checks to see if the client request number has gone above the threshold set for the entire site per the time interval specified.

  
  

If any of these checks are true, the client is denied access with the default status code of 403 Forbidden. Once a client has been denied, they will continue to be denied for the duration of the configured block period (default is 10 seconds). If they continue to send requests during this timeframe, they will continue to be denied and forced to wait even longer. Figure 5.3 shows an example of the Mod_Dosevasive process flow.

Figure 5.3. Mod_Dosevasive process flow.

 

[View full size image]

 

Configuration

The Mod_Dosevasive module has default settings, which allow it to work without the need to add additional httpd.conf file directives. While this is certainly easy, you will most likely need the capability to tweak the various settings to set the correct thresholds for your environment. Therefore, you should add the following directives to your httpd.conf file and update as needed:

<IfModule mod_dosevasive20.c>

    DOSHashTableSize    3097

    DOSPageCount        2

    DOSSiteCount        50

    DOSPageInterval     1

    DOSSiteInterval     1

    DOSBlockingPeriod   10

</IfModule>

We will now discuss each of the Mod_Dosevasive directives. Most of this information is taken directly from the README file of Mod_Dosevasive, so proper credit should be given to the developer of this module.

DosHashTableSize

This directive specifies the number of top-level nodes for each apache child process's hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but consume more memory for table space. You should increase this if you have a busy web server. The value you specify will automatically be tiered up to the next prime number in the primes list (see mod_dosevasive.c for a list of primes used).

DOSPageCount

This is the threshold for the number of requests for the same page (or URI) per page interval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.

DOSSiteCount

This is the threshold for the total number of requests for any object by the same client on the same listener per site interval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.

DOSPageInterval

The interval for the page count threshold; defaults to 1 second intervals.

DOSSiteInterval

The interval for the site count threshold; defaults to 1 second intervals.

DOSBlockingPeriod

The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g., another 10 seconds). Because the timer is reset for every subsequent request, it is not necessary to have a long blocking period; in the event of a DoS attack, this timer will keep getting reset.

DOSEmailNotify

If this value is set, an email will be sent to the address specified whenever an IP address becomes blacklisted. A locking mechanism using /tmp prevents continuous emails from being sent.

DOSSystemCommand

If this value is set, the system command specified will be executed whenever an IP address becomes blacklisted. This is designed to enable system calls to ip filter or other tools. A locking mechanism using /tmp prevents continuous system calls. Use %s to denote the IP address of the blacklisted IP.

DOSLogDir

Choose an alternative temp directory. By default, "/tmp" will be used for the locking mechanism, which opens some security issues if your system is open to shell users. In the event you have nonprivileged shell users, you'll want to create a directory writable only to the user Apache is running as, then set this in yourhttpd.conf.

WhiteListing

As of version 1.8, IP addresses of trusted clients can be whitelisted to ensure they are never denied. The purpose of whitelisting is to protect software, scripts, local searchbots, or other automated tools from being denied for requesting large amounts of data from the server. Whitelisting should not be used to add customer lists or anything of the sort, as this will open the server to abuse. This module is very difficult to trigger without performing some type of malicious attack, and for that reason, it is more appropriate to allow the module to decide on its own whether or not an individual customer should be blocked.

To whitelist an address (or range), add an entry to the Apache configuration in the following fashion:

DOSWhitelist    127.0.0.1

DOSWhitelist    127.0.0.*

Wildcards can be used on up to the last three octets if necessary. Multiple DOSWhitelist commands may be used in the configuration.

Testing

Mod_Dosevasive comes with a PERL script called test.pl. Without editing the file, if you execute it, it will send a total of 100 requests for incrementing URLs (based on 0-100) to the localhost address on port 80. It sends the requests at a high rate and should cause Mod_Dosevasive to deny the requests after about 20 requests. Here are the contents of the test.pl script:

#!/usr/bin/perl



# test.pl: small script to test mod_dosevasive's effectiveness



use IO::Socket;

use strict;



for(0..100) {

  my($response);

  my($SOCKET) = new IO::Socket::INET( Proto   => "tcp",

                                      PeerAddr=> "127.0.0.1:80");



  if (! defined $SOCKET) { die $!; }

  print $SOCKET "GET /?$_ HTTP/1.0



";

  $response = <$SOCKET>;

  print $response;

  close($SOCKET);

}

If you run the script, you should see output similar to the following:

# ./test.pl

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 403 Forbidden

HTTP/1.1 403 Forbidden

HTTP/1.1 403 Forbidden

HTTP/1.1 403 Forbidden

HTTP/1.1 403 Forbidden

--CUT--

Mod_Dosevasive Summary

This module is surprisingly effective at fending off small- to medium-sized request-based DoS attacks and brute force attacks. Its features will prevent you from wasting bandwidth or having a few thousand CGI scripts running as a result of an attack, which will be a valid concern when we discuss some of the advanced alerting mechanisms in later chapters. When used in conjunction with other preventative measures such as router blackholing, this tool is very effective against larger DoS attacks as well.

If you do not have an infrastructure capable of fending off any other types of DoS attacks, chances are this tool will only help you to the point of your total bandwidth or server capacity for sending 403s. Without a solid infrastructure and DoS evasion plan in place, a heavy distributed DoS will most likely still take you offline.

We will be returning to Mod_Dosevasive in later sections of the book. We will be talking more in-depth about running tests to tweak the directive settings to gain the best ratio for your site, as well as some custom updates that I have made to the modules code to gain increased security benefits.