Mod_evasive on IIS

Photo of author
Written By Jan Reilink

Windows Server system administrator & enthusiast.

Mod_evasive is a module for Apache and Windows Server IIS (using Helicon Ape). It provides protection and evasive action in the event of an HTTP DoS-, DDoS or brute force attack. Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denies an IP address access to a website if it’s requesting the same page more than 10 times a second. This is configurable.

Properly configured and tested, mod_evasive can provide great security and protection against Denial of Service (DoS)- or Distributed Denial of Service (DDoS), and brute force attacks. Not so properly configured, it’s a pain…

With mod_evasive available and enabled, you have one more way of making Helicon Ape act like a web application firewall for Windows Server IIS. Did you know you can use Ape as a proxy? I wrote about RewriteProxy in IIS earlier.

Jonathan Zdziarski’s Mod_evasive ([2]) is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and et cetera.

Mod_evasive presently reports abuses via email and syslog facilities.

Configure mod_evasive in Windows Server IIS with Helicon Ape

To enable mod_evasive in Windows Server IIS, you need to have Helicon Ape installed. Helicon Ape provides support for Apache .htaccess and .htpasswd configuration files in Microsoft IIS.

Helicon Ape is implemented as a managed IIS 7+ module.

Load mod_evasive module

Once you have Helicon Ape installed, you can enable and load the mod_evasive module in your web server’s httpd.conf configuration file. Look for the line

# LoadModule evasive_module modules/
Code language: Apache (apache)

Next, remove the #. The line then becomes:

LoadModule evasive_module modules/
Code language: Apache (apache)

After you saved your new httpd.conf and restarted IIS, mod_evasive is active but still without a configuration. So it does nothing. A default mod_evasive configuration would be:

DOSHashTableSize 1048 DOSPageCount 10 DOSSiteCount 150 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 120
Code language: Apache (apache)

This would block clients who request the same URI more than 10 times in one second, or 150 requests for any object (URI) by the same client within one second. To protect your IIS web server from excessive requests, you may choose other values for DOSPageCount and DOSPageInterval, like 5 and 2 for instance (five requests in two seconds).

How to exclude an URL or website from mod_evasive?

Can I exclude one website from this mod_evasive configuration? Yes you can. A global configuration which restricts requests and traffic can be undesired and unwanted for some of your customers. You can exclude one or more URL’s (websites) by using <VirtualHost> directives in your httpd.conf file.

The Helicon Ape mod_evasive module has to be loaded globally, so directly underneath that, put the following <VirtualHost>‘s:

LoadModule evasive_module modules/ <VirtualHost> # Nothing </VirtualHost> <VirtualHost *:80> DOSHashTableSize 2048 DOSPageCount 10 DOSSiteCount 150 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 120 DOSCloseSocket On # or Off </VirtualHost>
Code language: Apache (apache)

The :80 (or :443 for SSL/TLS enabled websites) is mandatory, this might be due to a bug in Helicon Ape’s mod_evasive module.

What this does is:

  • Helicon Ape loads the evasive_module using LoadModule
  • Then we create a <VirtualHost> for the URL/website we want to exclude from mod_evasive’s configuration (
    • We do that by not putting in a configuration.
  • The next <VirtualHost> contains mod_evasive settings for all websites not matched by a previous VirtualHost setting.

Mod_evasive in practice

Unfortunately I found mod_evasive practically unusable in an enterprise hosting environment: clients are blocked when viewing large PDF documents because the browser (or PDF plugin) requests the file by Content-Range response header:

The Content-Range entity-header is sent with a partial entity-body to specify where in the full entity-body the partial body should be applied.

This can result in some 38 HTTP requests for a 4.1 MB large PDF file. I had mod_evasive set to 15 requests in one second (DOSPageCount: 15, DOSPageInterval: 1). I haven’t found a way around this, have you? Please let me know in the comments, thanks!

This was learn how to set up website DDoS protection with .htaccess and mod_evasive on Windows Server IIS.

Did you like: Mod_evasive on IIS

Then please, take a second to support Sysadmins of the North and donate!

Your generosity helps pay for the ongoing costs associated with running this website like coffee, hosting services, library mirrors, domain renewals, time for article research, and coffee, just to name a few.

Hi! Join the discussion, leave a reply!