Use of .htaccess to mitigate denial of service attacks

Question

I have an application that requires logon.

It is only possible to access the site via a single logon page.

I am concerned about DDOS and have (thanks to friends here) been able to write a script that will recognise potential DDOS attacks and lock the particular IP to prevent site access (also a security measure to prevent multiple password/username combination guesses)

Is there any value in blocking those IPs that offend with .htaccess. I can simply modify the file to prevent my server allowing access to the offending IP for a period of time but will it do any good? Will the incoming requests still bung up the system, even though .htaccess prevents them being served or will it reduce the load allowing genuine requests in?

it is worth noting that most of my requests will come from a limited range of genuine IPs so the implementation I intend is along the lines of:

If DDOS attack suspected, Allow access only from IPs from which there has been a previous good logon for a set time period. Block all suspect IPs where there has been no good logon permanently, unless a manual request to unblock has been made.

Your sage advice would be greatly appreciated. If you think this is a waste of time, please let me know!

Implementation is pretty much pure PHP.

Answer 1

Load caused by a DDOS attack will be lower if blocked by .htaccess as the unwanted connections will be refused early and not allowed to call your PHP scripts.

Take for example a request made for the login script, your apache server will call the PHP script which will (I'm assuming) do a user lookup in a database of some kind. This is load.

Request <---> Apache <---> PHP <---> MySQL (maybe)

If you block and ip (say 1.2.3.4) your htacess will have an extra line like this:

Deny from 1.2.3.4

And the request will go a little like this:

Request <---> Apache <-x-> [Blocked]

And no PHP script or database calls will happen, this is less load than the previous example.

This also has the added bonus of preventing bruteforce attacks on the login form. You'll have to decide when to add IPs to a blocklist, maybe when they give incorrect credentials 20 times in a minute or continuously over half an hour.

Firewall

It would be better to block the requests using a firewall though, rather than with .htaccess. This way the request never gets to apache, it's a simple action for the server to drop the packet based on a IP address rule.

The line below is a shell command that (when run as root) will add an iptables rule to drop all packets originating from that IP address:

/sbin/iptables -I INPUT -s 1.2.3.4 -j DROP