Today we received another DDoS attack on of our clusters.
99% of the DDoS attacks we receive are floods on port 80, not really Syn Flood attacks, but just a large stream of garbage on port 80 from thousands of hosts. This results in Apache just spawning processes and eventually locking up.
About two weeks ago i read about Varnish, this high performance HTTP proxy also seems to be a real life-saver when it comes to DDoS attacks.
Since we were really out of options i gave Varnish a go and installed it on our webservers. I configured Apache to listen on 127.0.0.1:80 and Varnish to listen on the public IP.
After doing this on 10 webservers i sat back and watched everything getting back to life!
This is because Varnish only forwards a HTTP request to the backend (Apache in this case) when it is complete, so this protects Apache from getting al the garbage and spawning useless childs.
So if you ever get a DDoS (and i really hope not!), keep Varnish in mind for saving yourself!
At the moment Varnish really looks like a permanent solution in our hosting envirioment, with some special Apache modules you can make it a transparant proxy, see: mod_extract_forwarded2