I'm going to bump this up, as I have a need related to it I'd like to discuss.
It's my understanding that a well-organized DDOS attack will consist of traffic that is indistinguishable from legitimate traffic and that it will not be possible to isolate it to any particular IP block (i.e., it might come from a botnet).
I'm having something akin to this happen Right Now(tm). I don't know that's it's intended as a DDOS attack, but think, rather, that it's perhaps a distributed scraping system, although it could be a DDOS (if it is, hmm ... it's certainly not the largest possible botnet, but it seems to be effective enough).
What I'm wondering is this. It doesn't seem to be loading me up enough to zombify the server itself, but it is, rather, saturating MySQL's max_connections (which is set to default, 151). I can, obviously, up max_connections in my.cnf, but then I actually MIGHT run risk of zombifying the box.
Some things I'm noting about the "attack". There are several IP's within similar netblocks (e.g. 188.8.131.52, and 184.108.40.206, and 220.127.116.11 are all involved). They each seem to get new SESSID's, at least they appear to in the logfiles (apparently don't take cookies and the system is giving them s=SESSID), and they are probably flipping the UA strings ("Mozilla", then "Safari", then "Chrome", "Linux", then empty, then "iPhone", etc.).
So, how might I go about putting together a "plugin" for a PHP site/page(s) that might mitigate this sort of thing? What I'm thinking: Check the REMOTE_ADDR and see if it's been pretty busy lately ($n requests in the last $x seconds), then check the User-Agent string and see if it has been "bouncing around" (say, we have 4 different UA strings for this IP within the last $x seconds). See if the SESSION var is changed, and if we think it's nefarious based on enough of these criteria we die("Please go away!") ... your thoughts?
Does it sound possible? Would it be potentially effective?