ddos attack

hello
i have one urgent problem my server have ddos attack
when my server under attack i see this log :
190.98.162.22 - - [13/Oct/2015:18:00:49 -0400] “GET / HTTP/1.1” 500 654 “-” “Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0”
114.35.178.76 - - [13/Oct/2015:18:00:50 -0400] “GET // HTTP/1.0” 500 614 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
41.220.28.51 - - [13/Oct/2015:18:00:54 -0400] “GET / HTTP/1.1” 403 530 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
52.74.86.182 - - [13/Oct/2015:18:00:54 -0400] “GET / HTTP/1.1” 403 530 “-” “Mozilla/5.0 (Linux; U; Android 2.2; fr-fr; Desire_A8181 Build/FRF91) App3leWebKit/53.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1”
219.93.183.94 - - [13/Oct/2015:18:00:54 -0400] “GET / HTTP/1.1” 403 530 “-” “Mozilla/5.0 (Linux; U; Android 2.2; fr-fr; Desire_A8181 Build/FRF91) App3leWebKit/53.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1”
52.74.86.182 - - [13/Oct/2015:18:00:50 -0400] “GET / HTTP/1.1” 500 654 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1”
94.199.122.171 - - [13/Oct/2015:18:00:49 -0400] “GET / HTTP/1.1” 500 654 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11”

please help me how to can stop it custom rule?

best regards

HI

As far as I know it’s not possible to establish (D)DOS protection using only mod_security rules.

But there is a lot of utils targeting this goal:

Regards, Oleg

hello
i installed dos deflate
i installed csf and syn flood active
mod_evasive not installed in apache 2.4 this is old and this have problem in centos6 apache 2.4
i need rule modsecurity because i think this is very better

when my server is under attack i see on netstat ip count ~13000 ip
Every ip = 1 request
few days ago in the log i see wordpress ping back attack
this new attack is Very similar wordpress ping back :
see one log :
190.98.162.22 - - [13/Oct/2015:18:00:49 -0400] “GET / HTTP/1.1” 500 654 “-” “Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0”
114.35.178.76 - - [13/Oct/2015:18:00:50 -0400] “GET // HTTP/1.0” 500 614 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
41.220.28.51 - - [13/Oct/2015:18:00:54 -0400] “GET / HTTP/1.1” 403 530 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”

this is user agent ? “-”
?

As per your log the IP is already getting a forbidden page. If you want to block it , use fail2ban or you can also use CSF and can change it setting to monitor error_log file to block IP causing same error multiple time.