I have two Apache instances behind a load balancer that I transfer the requests to, depending on the request type.
Now what I want: when I get too many transactions from an IP address, I want to block that IP for few seconds and send back some response to the client that you have sent too many requests.
So now the question: is there any way that we can handle this situation on my load balancer rather then calling my instances.
How can I handle this on Apache? I am using Apache version 2.2.
I would advise you to setup mod_evasive in Apache.
mod_evasive is an evasive maneuvers module for Apache that provides evasive action in the event of an HTTP DoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and more. mod_evasive presently reports abuse via email and syslog facilities.
To install it in Debian:
apt-get install libapache2-mod-evasive
Edit then mods-available/evasive.conf. Your values may vary depending on how many vhosts you have on the server.
<IfModule mod_evasive20.c>
DOSHashTableSize 2048
DOSPageCount 50 <---- visites to site in the given time
DOSSiteCount 500 <---- to pages
DOSPageInterval 2.0 <---- 2 seconds
DOSSiteInterval 1.0
DOSBlockingPeriod 600.0 <--- seconds
DOSLogDir /var/log/apache2/evasive
DOSWhitelist 127.0.0.1
DOSWhitelist x.x.x.*
</IfModule>
For enabling the new mod_evasive configuration, you have to restart Apache.
You might also be interested in commercial services like CloudFlare or Amazon CloudFront.