4. Using a CDN and DDoS Protection Service
Sign up for a CDN and DDoS protection service such as Cloudflare. Configure your DNS settings to route traffic through Cloudflare, which will provide additional protection and caching to reduce the load on your server.
Conclusion
While .htaccess can provide basic filtering and rate limiting, a comprehensive DDoS protection strategy requires multiple layers of defense. By combining network-level protection, ModSecurity rules, Fail2Ban, and external services like CDNs and DDoS protection services, you can effectively mitigate the impact of DDoS attacks on your website.
# Load ModSecurity
LoadModule security2_module modules/mod_security2.so
SecRuleEngine On
SecRequestBodyAccess On
# Basic DDoS Protection Rules
SecRule REQUEST_HEADERS:User-Agent “.*(bot|crawler|spider|scanner|curl|wget|python|perl).*” \
“id:1000001,phase:1,deny,status:403,msg:’Blocking bot traffic’,log”
# Rate limiting: Block IP after 100 requests in 60 seconds
SecAction “id:1000002,phase:1,nolog,initcol:ip=%{REMOTE_ADDR}_counter,expirevar:ip_counter=60”
SecRule IP:counter “@gt 100” “id:1000003,phase:1,deny,status:429,msg:’Too many requests from IP’,log”
SecAction “id:1000004,phase:1,nolog,setvar:ip_counter=+1”
# Protect against HTTP Flood Attacks
SecRule REQUEST_HEADERS:Connection “Keep-Alive” “id:1000005,phase:1,deny,status:403,msg:’Blocking keep-alive flood’,log”
# Block requests with invalid referrers
SecRule REQUEST_HEADERS:Referer “!^https://(www\.)?yourdomain\.com” \
“id:1000006,phase:1,deny,status:403,msg:’Invalid referrer’,log”
# Additional custom rules for specific attack patterns
# (Add more rules based on the specific traffic patterns you observe)