Mod_evasive on IIS

Website DDoS protection with mod_evasive. Mod_evasive is a module for Apache and Windows Server IIS (using Helicon Ape). It provides protection and evasive action in the event of an HTTP DoS-, DDoS or brute force attack. Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denies an IP address access to a website if it’s requesting the same page more than 10 times a second. This is configurable.

Properly configured and tested, mod_evasive can provide great security and protection against Denial of Service (DoS)- or Distributed Denial of Service (DDoS), and brute force attacks. Not so properly configured, it’s a pain…

With mod_evasive available and enabled, you have one more way of making Helicon Ape act like a web application firewall for Windows Server IIS. Did you know you can use Ape as a proxy? I wrote about RewriteProxy in IIS earlier.

Jonathan Zdziarski’s Mod_evasive ([2]) is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and et cetera.

Mod_evasive presently reports abuses via email and syslog facilities.

Configure mod_evasive in Windows Server IIS with Helicon Ape

To enable mod_evasive in Windows Server IIS, you need to have Helicon Ape installed. Helicon Ape provides support for Apache .htaccess and .htpasswd configuration files in Microsoft IIS.

Helicon Ape is implemented as a managed IIS 7+ module.

Load mod_evasive module

Once you have Helicon Ape installed, you can enable and load the mod_evasive module in your web server’s httpd.conf configuration file. Look for the line

# LoadModule evasive_module modules/mod_evasive.soCode language: Apache (apache)

Next, remove the #. The line then becomes:

LoadModule evasive_module modules/mod_evasive.soCode language: Apache (apache)

After you saved your new httpd.conf and restarted IIS, mod_evasive is active but still without a configuration. So it does nothing. A default mod_evasive configuration would be:

DOSHashTableSize    1048
DOSPageCount        10
DOSSiteCount        150
DOSPageInterval     1
DOSSiteInterval     1
DOSBlockingPeriod   120Code language: Apache (apache)

This would block clients who request the same URI more than 10 times in one second, or 150 requests for any object (URI) by the same client within one second. To protect your IIS web server from excessive requests, you may choose other values for DOSPageCount and DOSPageInterval, like 5 and 2 for instance (five requests in two seconds).

How to exclude an URL or website from mod_evasive?

Can I exclude one website from this mod_evasive configuration? Yes you can. A global configuration which restricts requests and traffic can be undesired and unwanted for some of your customers. You can exclude one or more URL’s (websites) by using <VirtualHost> directives in your httpd.conf file.

The Helicon Ape mod_evasive module has to be loaded globally, so directly underneath that, put the following <VirtualHost>‘s:

LoadModule evasive_module modules/

  # Nothing

<VirtualHost *:80>
  DOSHashTableSize    2048
  DOSPageCount        10
  DOSSiteCount        150
  DOSPageInterval     1
  DOSSiteInterval     1
  DOSBlockingPeriod   120
  DOSCloseSocket On # or Off
</VirtualHost>Code language: Apache (apache)

The :80 (or :443 for SSL/TLS enabled websites) is mandatory, this might be due to a bug in Helicon Ape’s mod_evasive module.

What this does is:

  • Helicon Ape loads the evasive_module using LoadModule
  • Then we create a <VirtualHost> for the URL/website we want to exclude from mod_evasive’s configuration (
    • We do that by not putting in a configuration.
  • The next <VirtualHost> contains mod_evasive settings for all websites not matched by a previous VirtualHost setting.

Mod_evasive in practice

Unfortunately I found mod_evasive practically unusable in an enterprise hosting environment: clients are blocked when viewing large PDF documents because the browser (or PDF plugin) requests the file by Content-Range response header:

The Content-Range entity-header is sent with a partial entity-body to specify where in the full entity-body the partial body should be applied.

This can result in some 38 HTTP requests for a 4.1 MB large PDF file. I had mod_evasive set to 15 requests in one second (DOSPageCount: 15, DOSPageInterval: 1). I haven’t found a way around this, have you? Please let me know in the comments, thanks!

This was learn how to set up website DDoS protection with .htaccess and mod_evasive on Windows Server IIS.

Jan Reilink

Hi, my name is Jan. I am not a hacker, coder, developer or guru. I am merely an application manager / systems administrator, doing my daily thing at Embrace - The Human Cloud. In the past I worked for clidn and Vevida. With over 20 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization. I blog at