🛡️How Can I Tell if Apache is Experiencing a DDoS Attack?

By /

Overview

A DDoS (Distributed Denial-of-Service) attack overwhelms your Apache web server with excessive traffic, often from multiple IPs. This can cause websites hosted on the server to become unresponsive or slow. Apache logs and network statistics can help detect if an attack is happening.

Symptoms of a DDoS Attack on Apache

  • Websites timing out or loading very slowly.
  • High server load and resource consumption.
  • Frequent Apache service restarts or crashes.
  • Apache error logs showing repeated entries like:
[Wed Aug 05 21:33:21.543968 2020] [mpm_prefork:error] [pid 10431] AH00161: server reached MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting

Identify High Connection Volume

You can identify whether your Apache server is under a DDoS attack using the following SSH commands:

1. Show Top IPs Making Connections to Apache Ports (80/443)

netstat -an | egrep ":80|:443" | egrep '^tcp' | grep -v LISTEN | \
awk '{print $5}' | egrep '([0-9]{1,3}\.){3}[0-9]{1,3}' | \
sed 's/^\(.*:\)\?\(\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}\).*$/\2/' | \
sort | uniq -c | sort -nr | sed 's/::ffff://' | head

This command lists the top 10 IP addresses sending requests. If a single IP or small IP range dominates, you may be under attack.

Additional Checks

2. List All Active Connections to Port 80

netstat -plan | grep :80 | awk '{print $5}' | cut -d: -f1 | \
sort | uniq -c | sort -nk 1

3. Display All External IP Connections

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

4. Check HTTPS (Port 443) Connection Counts

ss -a -n | grep :443 | cut -d : -f2 | awk '{print $2}' | sort | uniq -c | sort

Next Steps If Under Attack

  • Block offending IPs using firewall tools like csf or iptables.
  • Use mod_evasive or mod_security with Apache.
  • Enable Cloudflare or another DDoS mitigation service.
  • Rate-limit connections using Apache or fail2ban.

Conclusion

Frequent MaxRequestWorkers errors, high numbers of requests from few IPs, and system sluggishness are strong indicators of a DDoS attack. Monitoring connections with the commands above allows you to quickly identify and take action against malicious traffic.

Here’s a DDoS Hardening & Mitigation Checklist and Script for Apache to complement the detection guide:

Apache DDoS Hardening & Mitigation Checklist

1. Block Offending IPs (Manually or Automatically)

Manual block using CSF:

csf -d IP_ADDRESS "Blocked due to DDoS activity"

Manual block using iptables:

iptables -A INPUT -s IP_ADDRESS -j DROP

2. Install and Configure mod_evasive

mod_evasive helps block repeated requests from abusive IPs.

Install on CentOS/AlmaLinux:

yum install epel-release -y
yum install mod_evasive -y

Create mod_evasive config file:

nano /etc/httpd/conf.d/mod_evasive.conf

Add config:

<IfModule mod_evasive20.c>
    DOSHashTableSize    3097
    DOSPageCount        5
    DOSSiteCount        100
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   300
    DOSEmailNotify      [email protected]
    DOSSystemCommand    "csf -d %s"
    DOSLogDir           "/var/log/mod_evasive"
</IfModule>

Create log dir:

mkdir /var/log/mod_evasive
chown apache:apache /var/log/mod_evasive

Restart Apache:

systemctl restart httpd

3. Install and Configure mod_security (Optional but Recommended)

Install:

yum install mod_security -y

Enable OWASP rules:
Follow steps from https://github.com/coreruleset/coreruleset

Restart Apache:

systemctl restart httpd

4. Use Cloudflare or a Reverse Proxy

Set up your site behind Cloudflare or similar CDN with DDoS protection features to:

  • Filter traffic at the edge
  • Hide your origin IP
  • Rate-limit requests per IP

5. Monitor Apache Status

Enable server status module:

<Location "/server-status">
    SetHandler server-status
    Require ip YOUR.IP.HERE
</Location>

Restart Apache and check:

http://yourdomain.com/server-status

🛡️ Optional: DDoS Mitigation Script (Basic Firewall Auto-Block)

Here’s a script that blocks IPs making excessive connections:

#!/bin/bash
# Block IPs making over 100 connections on port 80

LIMIT=100
netstat -an | grep :80 | grep ESTABLISHED | awk '{print $5}' | \
cut -d: -f1 | sort | uniq -c | sort -nr | while read count ip; do
  if [ "$count" -gt "$LIMIT" ]; then
    echo "Blocking $ip with $count connections"
    csf -d $ip "Auto-blocked for exceeding $LIMIT connections"
  fi
done

Save as /usr/local/bin/ddos-block.sh, make it executable:

chmod +x /usr/local/bin/ddos-block.sh

Run manually or as a cron job every 5 minutes.

Scroll to Top