The first thing to do is to use a tool like "ab" for performance benchmarking:
where n is: number of requests and c is the concurrency level. Run the command before and after the performance tuning and analyze the output. You need to check if the time taken by the webserver to deliver the result has improved.ab -n 500 -c 10 http://www.domain.com/index.html
1. Apache modules and settings
Syntax:As seen above, time outs can be set for both request header and body from the client. Set this to a low value to make sure both header and body times out after the configured time.
RequestReadTimeout [header=timeout[-maxtimeout][,MinRate=rate] [body=timeout[-maxtimeout][,MinRate=rate]
This directive defines the time that Apache process will wait for I/O. The default value is set to 60 seconds and you should lower it to say 10-20 seconds in case of DDOS attacks. Some cgi scripts that need more execution time may face issues due to this.
c) KeepAlive and KeepAliveTimeout
Most of the webhosts disable KeepAlive during DDOS but doing so affects the server's performance again. A better idea would be to decrease the KeepAliveTimeout to 2 (default 5) and still have the KeepAlive enabled.
This defines the allowed size of message body to be allowed. During DDOS attacks, set this server-wide. The default value is 0 which means unlimited. Set that to 100MB and see if improves the performance.
This directive limits the request header fields from the client. Set this to a value between 40-50
LimitRequestFields 40 (default is 100)
This limits the size of the HTTP request header allowed from the client. Default is 8190 and is hard coded when it is recompiled. Decrease this value to half.
LimitRequestFieldSize 4095g) LimitRequestLine
This limits the size of the HTTP request line that will be accepted from the client.
LimitRequestLine 4095 (default is 8190)h) LimitXMLRequestBody
This limits the size of an XML type body request.
LimitXMLRequestBody 500000 (defaults to 1000000)i) MaxRequestWorkers
A webserver should never use SWAP as doing so further decreases the server's performance and increases the server load drastically. You should regulate this directive to make sure that Apache doesn't spawn so many child processes as it starts swapping.
It is the upper limit for the number of connections configured for Apache.
It is the maximum number of simultaneous connections that will be processed by Apache web server. This value should never exceed the #ServerLimit set. Extra care should be taken into consideration while setting the MaxClients value as any slight variation could badly affect the overall server's performance.