Welcome to WebmasterWorld Guest from

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

Throttling bad bots automatically?

mod_throttle gone, alternative?



7:54 pm on Oct 13, 2010 (gmt 0)

10+ Year Member

I would like my Apache server to fail gracefully with an HTTP 503 when some bot comes along and hammers the site relentlessly.

It doesn't seem to be doing this -- one one of my single-server sites we had an event today, and the bot was able to successfully crowd out most other requests.

Ideally, a given IP could be limited to a certain number of requests or sustained hit rate, or something like that. I think this is what the old mod_throttle was supposed to do, but it doesn't exist any more.

Any good ideas out there so I don't have to reinvent a wheel?

The site uses Drupal (PHP) which is a total memory pig ... a typical high value is 37MB per child process (Yikes!).

My server settings are currently:

<IfModule mpm_prefork_module>
StartServers 2
MinSpareServers 2
MaxSpareServers 2
# Set MaxClients down from 28 after out of memory event, typical client uses 37MB, usually at least 700MB free for Apache.
MaxClients 14
MaxRequestsPerChild 500

Even after the server had hit what appeared to be MaxClients (based on my monitoring stats) it was not logging anything like a 503 error.

Instead, it's looking like requests are getting queued somewhere. There's no proxy (e.g. squid).

Any good ideas on how I can address this without manual blocking (which is what we did to get rid of this one).

(Server: Apache 2.2 with PHP 5.2, MySQL, Ubuntu recent with Drupal 6.x custom code.)




6:29 pm on Oct 14, 2010 (gmt 0)

5+ Year Member

There is mod_qos and mod_evasive:



Featured Threads

Hot Threads This Week

Hot Threads This Month