If you have the root access, there are couple of tools like mod dos evasives which might give you protection upto an extent. Though there is no fool proof guarenteed solution for ddos. Make the server secure in general, harden the security loopholes and install the firewall and enhance it. Take the help of any experienced server admins
If you have root SSH access: - Install mod evasive - Install APF - Install DDos Deflate http://deflate.medialayer.com If you're just a webmaster Add some script to deny bad request and stop when server load goes high <?php if(!$_SERVER['HTTP_USER_AGENT'] or strpos(strtolower($_SERVER['HTTP_USER_AGENT']), 'php')!==false or strpos(strtolower($_SERVER['HTTP_REFERER']), '.swf')!==false ) { header('HTTP/1.1 403 Forbidden'); exit('Bad request.'); } if(function_exists('sys_getloadavg') and current(sys_getloadavg())>1) { header("HTTP/1.1 503 Service Unavailable"); exit('High server load.'); } ?> PHP:
It's unlikely that if you need to ask how to prevent DDOS that you will be able to reliably provide the service to others. Preventing DDOS attacks is normally done by someone with a great deal of experience. While installing some apache modules and firewalls can be helpful there are many other things involved. The ability to read logs is probably the most important to stopping a DDOS attack. Once you understand the attack you can work to prevent it.
@ OP - this not like installing a firewall or some sort of software DDoS protection is a really hard to do job and people that deal with the mitigation of such attacks are highly educated and qualified professionals... if you want to get protected do not trust companies or people telling you that they could guard you for hundreds of dollars...the real good protection and that one that really stops the attacks will more probably cost you thousands of dollars... that is thee first thing you could look at ... the price, you could tell by the price whether the service is good or bad...
probably even if you install apf/csf ( its better if you setup your iptables ) , ddos deflate, mod_evasive, etc you won't be able to stop a REAL attack.
Check http://forums.digitalpoint.com/showthread.php?t=1347937 its a good solution for ddos.. use litespeed it too has strong ddos protection
i hate to burst the bubble but stopping ddos attacks by filtering the packets that reach your client still implies that you will receive them. So in order to stop it you need more bandwidth then the atacker. It still comes to financial power and protection from the datacenter.
Take a closer look at the services provided by akamai and similar companies. They create a distributed version of your exact website, and serve up your content from the nearest electronic point to the end user. A denial of service attack against your website is actually against the data aggregation company like akamai, and they aren't going down if you attack the end points. The attacker would have to target the root servers or distribution center of akamai to make any disruption.
+1. We have some serious software firewalls in place and they will ban if the traffic gets suspicious. We really screwed up though on our first slashdotting.