---
id: f364f3e7-e947-4e66-bd35-a17f1e744c5c
---

# DDoS Attack on Apache HTTP Server.
---

This incident type refers to a distributed denial-of-service (DDoS) attack on an Apache HTTP server. In a DDoS attack, a large number of requests are sent to the server, overwhelming its capacity to respond to legitimate requests. This can cause the server to become inaccessible to users and disrupt normal operations. Apache HTTP Server is a popular open-source web server software used by millions of websites, making it a common target for cyber attacks.

### Parameters
```shell
export INTERFACE="PLACEHOLDER"

export MAX_CONNECTIONS="PLACEHOLDER"

export MAX_REQUESTS="PLACEHOLDER"

export RATE_INTERVAL="PLACEHOLDER"
```

## Debug

### Check if Apache HTTP Server is running
```shell
systemctl status apache2
```

### Check Apache HTTP Server logs for any suspicious requests
```shell
tail -f /var/log/apache2/access.log
```

### Show connections per IP address to the web server
```shell
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
```

### Show which network interfaces are receiving the most traffic
```shell
iftop -i ${INTERFACE}
```

### Show the top 10 IP addresses with the most connections to the server
```shell
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
```

### Show the top 10 IPs with the most requests to the server
```shell
cat /var/log/apache2/access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head
```

### Check if there are any open connections to the server
```shell
netstat -an | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
```

### Check if there are any SYN packets flooding the server
```shell
tcpdump -i ${INTERFACE} 'tcp[tcpflags] & tcp-syn != 0' | wc -l
```

## Repair

### Implement rate limiting: Implement rate-limiting to limit the number of requests a single IP address can make to the server.
```shell
bash

#!/bin/bash



# Set the maximum number of requests per IP address

MAX_REQUESTS=${MAX_REQUESTS}



# Set the time interval for rate limiting in seconds

RATE_INTERVAL=${RATE_INTERVAL}



# Configure iptables to limit the number of connections per IP address

iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above ${MAX_CONNECTIONS} --connlimit-mask 0 -j DROP



# Configure Apache to limit the number of requests per IP address

echo "LimitRequestBody 102400" >> /etc/httpd/conf/httpd.conf # Set the maximum request size

echo "MaxConnectionsPerChild 10000" >> /etc/httpd/conf/httpd.conf # Set the maximum number of connections per child process

echo "MaxRequestsPerChild 100" >> /etc/httpd/conf/httpd.conf # Set the maximum number of requests per child process

echo "${IFMODULE_MOD_EVASIVE_SO}" >> /etc/httpd/conf/httpd.conf

echo "DOSHashTableSize 3097" >> /etc/httpd/conf/httpd.conf

echo "DOSPageCount 10" >> /etc/httpd/conf/httpd.conf

echo "DOSSiteCount 50" >> /etc/httpd/conf/httpd.conf

echo "DOSPageInterval 1" >> /etc/httpd/conf/httpd.conf

echo "DOSSiteInterval 1" >> /etc/httpd/conf/httpd.conf

echo "DOSBlockingPeriod 60" >> /etc/httpd/conf/httpd.conf

echo "${_IFMODULE}" >> /etc/httpd/conf/httpd.conf



# Restart Apache to apply the changes

systemctl restart httpd


```

This incident type refers to a distributed denial-of-service (DDoS) attack on an Apache HTTP server. In a DDoS attack, a large number of requests are sent to the server, overwhelming its capacity to respond to legitimate requests. This can cause the server to become inaccessible to users and disrupt normal operations. Apache HTTP Server is a popular open-source web server software used by millions of websites, making it a common target for cyber attacks.


A DoS (Denial of Service) attack on a Tomcat server occurs when attackers flood the server with an overwhelming amount of traffic, causing the server to become unresponsive and unable to handle legitimate requests. This attack results in service disruptions, making the server unavailable to users. The goal of the DoS attack is to make the targeted service unavailable to its users, causing inconvenience or financial losses to the organization that operates the server.


DoS Attack on Tomcat Server

This incident type refers to an unauthorized access to directories in Apache HTTPD, which is a widely used web server software. It means that someone was able to access files or directories that they were not supposed to, without having proper authorization. This type of incident can potentially lead to sensitive data being exposed or even stolen, and can compromise the security of the server and the applications running on it.


Unauthorized Directory Access in Apache HTTPD.

The Slowloris Attack is a type of Denial of Service (DoS) attack that exploits a vulnerability in the Apache web server. It works by sending HTTP requests to the server and keeping those connections open for as long as possible, thereby using up all the available resources of the server and rendering it unresponsive to legitimate requests. As a result, the server becomes slow or unresponsive, causing downtime for the affected website or service. This type of attack can be detected and mitigated by implementing specific security measures and tools.


Slowloris Attack Detected on Apache server.

This incident type refers to the detection of SQL injection attempts in Apache web server logs. SQL injection is a type of cyber attack that exploits vulnerabilities in web applications allowing attackers to execute malicious SQL statements. In this incident, attackers are attempting to inject SQL code into the URI (Uniform Resource Identifier) of an Apache web server, potentially compromising the server's security and exposing sensitive information.


Apache SQL Injection Attempts in URI Incident

This incident type refers to a security vulnerability in the SSL/TLS configuration of the Apache HTTP Server, which can leave the server and its users vulnerable to attacks. The SSL/TLS configuration is responsible for encrypting the communication between the server and its clients, and if it is not configured properly, it can be exploited by hackers to intercept or modify sensitive data. This type of incident requires immediate attention from software engineers to ensure that the SSL/TLS configuration is properly configured to prevent any potential security threats.


Inadequate SSL/TLS Configuration for Apache HTTP Server.

```shell
export INTERFACE="PLACEHOLDER"

export MAX_CONNECTIONS="PLACEHOLDER"

export MAX_REQUESTS="PLACEHOLDER"

export RATE_INTERVAL="PLACEHOLDER"
```


### Check if Apache HTTP Server is running

```shell
systemctl status apache2
```

### Check Apache HTTP Server logs for any suspicious requests

```shell
tail -f /var/log/apache2/access.log
```

### Show connections per IP address to the web server

```shell
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
```

### Show which network interfaces are receiving the most traffic

```shell
iftop -i ${INTERFACE}
```

### Show the top 10 IP addresses with the most connections to the server

```shell
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
```

### Show the top 10 IPs with the most requests to the server

```shell
cat /var/log/apache2/access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head
```

### Check if there are any open connections to the server

```shell
netstat -an | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
```

### Check if there are any SYN packets flooding the server

```shell
tcpdump -i ${INTERFACE} 'tcp[tcpflags] & tcp-syn != 0' | wc -l
```


### Implement rate limiting: Implement rate-limiting to limit the number of requests a single IP address can make to the server.

```shell
bash

#!/bin/bash



# Set the maximum number of requests per IP address

MAX_REQUESTS=${MAX_REQUESTS}



# Set the time interval for rate limiting in seconds

RATE_INTERVAL=${RATE_INTERVAL}



# Configure iptables to limit the number of connections per IP address

iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above ${MAX_CONNECTIONS} --connlimit-mask 0 -j DROP



# Configure Apache to limit the number of requests per IP address

echo "LimitRequestBody 102400" >> /etc/httpd/conf/httpd.conf # Set the maximum request size

echo "MaxConnectionsPerChild 10000" >> /etc/httpd/conf/httpd.conf # Set the maximum number of connections per child process

echo "MaxRequestsPerChild 100" >> /etc/httpd/conf/httpd.conf # Set the maximum number of requests per child process

echo "${IFMODULE_MOD_EVASIVE_SO}" >> /etc/httpd/conf/httpd.conf

echo "DOSHashTableSize 3097" >> /etc/httpd/conf/httpd.conf

echo "DOSPageCount 10" >> /etc/httpd/conf/httpd.conf

echo "DOSSiteCount 50" >> /etc/httpd/conf/httpd.conf

echo "DOSPageInterval 1" >> /etc/httpd/conf/httpd.conf

echo "DOSSiteInterval 1" >> /etc/httpd/conf/httpd.conf

echo "DOSBlockingPeriod 60" >> /etc/httpd/conf/httpd.conf

echo "${_IFMODULE}" >> /etc/httpd/conf/httpd.conf



# Restart Apache to apply the changes

systemctl restart httpd


```


DDoS Attack on Apache HTTP Server.

Overview

Parameters

Debug

Check if Apache HTTP Server is running

Check Apache HTTP Server logs for any suspicious requests

Show connections per IP address to the web server

Show which network interfaces are receiving the most traffic

Show the top 10 IP addresses with the most connections to the server

Show the top 10 IPs with the most requests to the server

Check if there are any open connections to the server

Check if there are any SYN packets flooding the server

Repair

Implement rate limiting: Implement rate-limiting to limit the number of requests a single IP address can make to the server.

Learn more

Related Runbooks

DoS Attack on Tomcat Server

Unauthorized Directory Access in Apache HTTPD.

Slowloris Attack Detected on Apache server.

Apache SQL Injection Attempts in URI Incident

Support