I have a VPS (Ubuntu 13.10) on which I run Apache 2.4. As soon as apache starts, someone starts sending hundreds of requests. The majority (80%) of requests come from one or two IPs, and the rest come from dozens of others. I do not expect any traffic for my site (other than the occasional web crawler), since it is only a personal website.
This is the command I use to get the list of offending IPs:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
I am only being attacked via apache, and have not noticed any other DDOS traffic. The attack does not bring my server down (that I have noticed), it only makes it very slow. Should I be using an apache module? I read about mod_evasive, but it looks old. What about a firewall rule?
I found a solution. Redirect the offending IPs with a blackhole route using this command:
ip route add blackhole [ip]