MaxRequestWorkers and DDoS

Introduction: 

MaxRequestWorkers directive sets the limit on the number of simultaneous requests that will be served by Apache. Any connection attempts over the MaxRequestWorkers limit will normally be queued (Not dropped). Once a child process is freed at the end of a different request, the queued connections will then be serviced.

The ServerLimit directive represents the upper limit of MaxRequestWorkers. This setting is generally used as a safeguard or ceiling against input errors when modifying MaxRequestWorkers. It becomes necessary to adjust ServerLimit when the server is expected to handle more than the default of 150 requests simultaneously.

You can see both of these directives by running this command: (These values represent the default values in a cPanel environment)

It is essential to tune Apache's MaxRequestWorkers setting to mitigate the risk of resource usage problems that could lead to a crash and to ensure that your server can use the resources available to it.

Special care must be taken when using this directive. If ServerLimit is set to a value much higher than necessary, extra, unused shared memory will be allocated. If both ServerLimit and MaxRequestWorkers are set to values higher than the system can handle, Apache may not start or the system may become unstable.

Please refer to these links for information on how to optimize these directives for your server:

• Tuning MaxRequestWorkers for Apache
• How do I troubleshoot Apache MaxRequestWorkers errors?
  
  
  

Tuning MaxRequestWorkers As a Way To Prevent DDoS Attacks:

DDoS (Distributed Denial Of Service) tries to deny important services running on the system by sending heavy traffic, so that the server can’t handle it. This is possibly the most common type of attack involving Apache.

There are multiple ways to modify your system to defend against DDoS attacks. One such way is via tweaking Apache's configuration by modifying directives such as  RequestReadTimeout, Timeout, KeepAliveTimeout, MaxRequestWorkers, etc. to reduce the impact of DDoS attacks.

For example, you can lower the KeepAliveTimeout parameter on sites that are subject to DDoS attacks. Similarly, tuning MaxRequestWorkers directive allows the server to handle maximum number of simultaneous connections without running out of resources.

However, possibly the most important step against a DDoS attack is to detect it. You can refer to these links for more information on how to determine if your server is experiencing a DDoS attack:

• How can I tell if Apache is experiencing a DDoS attack?
• What should I do if my server is experiencing DDOS?