Is there any way like to limit connections on a certain port like say only 10 connections per IP, and block the other connections.

I've recently been the target of various Denial of Service attacks, and it always seems to overload and crash Apache, which leads either to my entire system crashing or just running VERY slowly.

There was an apache mod that allowed this, but after I 'installed' it, it didn't really seem to work.

If anyone has any insight on this, it would be greatly appreciated.

These rules will allow 4 connections in 1 second.
To change the amount of connections change the --limit-burst flag from 4 to whatever, or to change the time range change the --limit flag. After that, one of the 4 bursts are regained after each second, and it will re-allow that cnonnections; The default limit is 3 per hour, the default limit burst is 5. (1/s 4 in this example)
Change eth0 to any interface you might be using.

/sbin/iptables -N syn-flood
/sbin/iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
/sbin/iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
/sbin/iptables -A syn-flood -j DROP

Is this per IP, or just in general?

And is there anyway that you could specifiy a specific port? Because most of the floods I am getting come from the http port 80.

(Forgive me if I overlooked anything, I'm much of a newbie at this myself...)

Restricted Source Range
If you are getting hit from a small set of IPs, just drop them at the firewall. Put the rules very early in the firewall so that they are dropped quickly.

dDoS Attacks
If you have multiple IPs hitting you, then you need to determine the type of attack to know which actions may help.

If you are being subjected to a syn flood against apache, then there are a number of settings to help mitigate this attack. These setting occur both within apache itself and at the kernels network level.


Apache Tweaks
There is an Apache directive ListenBacklog which should generally be left at default values. But if you are under a syn flood attack, then upping this value can help. The value determines the length of the queue of pending connections. I have set this as high as 512 on servers with 1GB of RAM.

KeepAliveTimeOut and MaxKeepAliveRequests can help but I have not used these too much.


There is a module called mod_throttle, which actually rarely helps in a dDoS. This is becaused the intial connection in a syn flood never reaches the application layer that does the throttling. As a result, this does not help. Now for attacks that cause a full tcp connection, mod_throttle may help limit these connections.


Kernel Tweaks
There are a number of kernel parameters that can be adjusted to reduce the affects of DoS. By lowering time-out values, you can help mitagate the attack.

#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog


I belive I got the above settings from the Linux Firewalls book by Ziegler ... but they may be from elsewhere. We include these in our firewall scripts.