Several useful tools for Apache to prevent DDoS attacks

I:
Come
Ddosscript from http://www.inetbase.com/scripts. This script was originally developed to prevent DDoS attacks and runs periodically (for example
Every second), use the netstat command to record the current network connection status, filter the Client IP address from the recorded data, and count the number of connections of each client IP address, set the number of connections
If an IP address has too many connections, the IP address is blacklisted. Requests sent to the server by the IP address in the blacklist within a period of time (for example, 10 minutes) will be iptables
Discard.
The disadvantage of this script is that when an IPv4 connection uses an IPv6 socket, its address is in the format of: FFFF: 1.2.3.4, this address is not calculated in the script, so you need to make a slight change to the script.

II:
Come
Auto http://www.symantec.com/connect/articles/hardening-tcpip-stack-syn-attacks
. The configuration here has three ideas: 1) increase the length of the TCP waiting queue so that it can accommodate more syn_recv requests. 2) reduce the waiting time of a request in the TCP queue
Syn_recv semi-join requests expire as soon as possible so that they can be sent to normal requests. 3) Enable tcp_syncookies. About TCP
Syn-cookies are described in detail at http://cr.yp.to/syncookies.html.
The above three ideas are implemented in Linux:
1) Increase the queue length:

 
# Sysctl-W net. ipv4.tcp _ max_syn_backlog = "2048"
 

2) reduce the wait time:
Change the value in the/proc/sys/NET/IPv4/tcp_synack_retries file.
3) enable SYN-cookies:
[Root @ jcwkyl ~] # Echo 1>/proc/sys/NET/IPv4/tcp_syncookies

III:
From an apacheprovided by http://dominia.org/djao/limitipconn2.html. This module is called mod_limitipconn to limit the maximum number of connections of a direcotry or location.

IV:
From http://bwmod.sourceforge.net/an apacheworkflow. This module is called mod_bw to limit the network bandwidth of a virtual host. It can limit the download speed of large files to prevent the network bandwidth from being quickly exhausted.