Need help?

Our experts have had an average response time of 11.7 minutes in August 2021 to fix urgent issues.

We will keep your servers stable, secure, and fast at all times for one fixed price.

HTTP Flood DDOS Attack – How to Mitigate the attack

by | Jan 27, 2021

Stuck with an HTTP Flood DDOS Attack? we can help you.

An HTTP flood attack usually targets a server with HTTP requests. It is usually hard to recover from DDoS attacks. Hence, we find it very important to protect web servers against them.

As part of our Server Management Services, we assist our customers with several DDoS queries.

Today, let us see how we can mitigate an HTTP Flood DDOS Attack.


What is an HTTP flood DDoS attack?

It is a type of volumetric distributed denial-of-service (DDoS) attack that targets a server and saturate them with requests. Once the target is unable to respond to normal traffic, denial-of-service will occur for additional requests from actual users.

  • How does it work

HTTP flood attacks are a type of “layer 7” DDoS attack. In order to achieve maximum efficiency, malicious actors will commonly employ or create botnets.

By utilizing many devices infected with malware, an attacker is able to leverage their efforts by launching a larger volume of attack traffic.

Generally, there are two varieties of HTTP flood attacks:

HTTP GET attack

Here, multiple computers or other devices coordinate to send multiple requests for images, files, or some other asset from a targeted server.

Once the target inundates with incoming requests and responses, denial-of-service will occur to additional requests from legitimate traffic sources.

HTTP POST attack

Typically the server must handle an incoming form or request and push the data into a persistence layer, most often a database. This process is relatively intensive compared to the amount of processing power and bandwidth required to send the POST request.

They utilize the disparity in relative resource consumption. And send many post requests directly to a target server until its capacity is saturated and denial-of-service occurs.


How to mitigate HTTP Flood DDOS Attack

  • Setup captcha test to test whether the requesting machine is a bot or not.
  • Install Mod_security module

It uses various protection rules to monitor the HTTP traffic and block suspicious/unwanted traffic, SQL injection, etc.

In addition, we can set custom protection rules and add them to the mod_security configuration file /usr/local/apache/conf/mod_security.conf.

In order to limit the maximum data that can post on a web application, we can tweak the following mod_security parameters:

  • Install mod_evasive Apache module

The mod_evasive Apache module tracks the IP addresses and pages requested to the Apache web server and blocks the traffic from that IP when the threshold reaches the page or site. As a result, the website displays 403 Forbidden errors.

Below are some of the mod_evasive parameters that we tweak in mod_evasive.conf file to prevent DDoS attacks.

  • Install DDoS Deflate

It is an effective tool for mitigating DDoS attacks for a limited number of websites. It is a bash script that uses netstat to identify and ban IPs that open too many connections to the server.

DDoS Deflate runs the following command to check the number of connections.

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

Once it exceeds the threshold limit, it will automatically block that IP on the server.

It is possible for us to tweak the threshold connection limit, the frequency at which the script runs, etc. In order to adjust these parameters, we can tweak the DDoS Deflate configuration file “/usr/local/ddos/ddos.conf.”

  • Software firewall

Similarly, to prevent these attacks in Apache we need to tweak some parameters in the server firewall.

For example, in CSF, we enable and tweak parameters such as SYNFLOOD and PORTFLOOD to limit the connections on the Apache webserver port.

In the same way, we configure APF and iptables to mitigate DDoS.

For example, in iptables, we set rules to rate-limit the number of connections on Apache port 80.

iptables -A INPUT -p tcp –syn –dport 80 -m connlimit –connlimit-above 20 -j REJECT –reject-with tcp-reset

Similarly, if the number of connections exceeds the threshold, the server blocks the IP.

  • Install Fail2ban

Fail2ban is a good option to prevent DDoS attacks in Apache. It uses a list of regular expressions and checks against server logs.

Like the above methods, once connections exceed, it blocks such IP addresses in the firewall.

Similarly, Fail2ban uses jails to determine the severs they have to protect.

For example, we add the following code in fail2ban configuration file /etc/fail2ban/jail.local to enable Apache DDoS jail.

enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/*error.log
maxretry = 4
findtime = 500
ignoreip = 10x.12x.1xx.xx7
  • Tweak Apache Configuration

We can also tweak certain Apache configuration parameters like RequestReadTimeout, Timeout, KeepAliveTimeout, etc. to reduce the impact of the attacks.

For example, we can lower the KeepAliveTimeout parameter. Similarly, we tune MaxRequestWorkers directive to allow the server to handle a maximum number of simultaneous connections without running out of resources.

  • Sysctl based protection

We can tweak the values set for SYN_SENT, SYN_RECV, TIME_WAIT, and FIN_WAIT by modifying the below parameters in the /etc/sysctl.conf file.

  • Setup Load balancer

However, the best way is the use of load balancers such as HAProxy. In web servers, we also limit the number of connections per user, limit the HTTP request rate, etc.

[Need help with the mitigation? We’d be happy to assist]



To conclude, It’s hard to recover from DDoS attacks. That’s why protecting the web server against DDoS attacks is important. Today, we saw a few effective ways our Support Techs employ to mitigate the error from causing troubles.


Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.


var google_conversion_label = "owonCMyG5nEQ0aD71QM";


Submit a Comment

Your email address will not be published. Required fields are marked *

Privacy Preference Center


Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]


Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid


Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie


These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.