← Glossary / Apache mod_evasive Block

What is Apache mod_evasive Block?

An Apache mod_evasive block is a server-side rate-limiting response triggered when an IP address exceeds predefined request thresholds on an Apache web server. Unlike modern bot management platforms that analyze browser fingerprints or inject JavaScript challenges, mod_evasive relies entirely on volumetric heuristics—tracking concurrent requests and rapid hits to the same URI. For scraping pipelines, hitting this module results in a sudden wall of HTTP 403 Forbidden errors, requiring immediate IP rotation or strict concurrency throttling to resume extraction.

Rate LimitingHTTP 403ApacheVolumetric BlockIP Blacklisting
// 02 — definitions

Volume over
sophistication.

How legacy web servers protect themselves from brute-force traffic, and why simple rate limits still break naive scrapers.

Ask a DataFlirt engineer →

TL;DR

mod_evasive maintains an internal hash table of IP addresses and their request counts. If an IP requests the same page more than DOSPageCount times per interval, or makes more than DOSSiteCount total requests across the site, the IP is blacklisted. Subsequent requests return a 403 Forbidden until the block expires. It's a blunt instrument, but highly effective against unthrottled single-node crawlers.

01Definition & structure
mod_evasive is an evasive maneuvers module for Apache that provides evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It works by maintaining an internal dynamic hash table of IP addresses and URIs. If an IP requests the same page too many times per second (DOSPageCount), or makes too many concurrent requests across the entire site (DOSSiteCount), the module temporarily blacklists the IP and returns a 403 Forbidden response.
02How it works in practice
When a scraper hits an Apache server protected by mod_evasive, the first few requests succeed with a 200 OK. Once the velocity threshold is breached, the server abruptly cuts off access. Every subsequent request from that IP returns a 403 Forbidden. The module can also be configured to execute system commands upon blocking, such as adding the IP to iptables or sending an alert to syslog.
03Identifying a mod_evasive block
Unlike modern WAFs, mod_evasive does not serve a CAPTCHA or a JavaScript challenge page. The block is identifiable by its suddenness and simplicity: a hard 403 Forbidden with a standard Apache error page, triggered purely by request volume. If you pause your scraper for 30 seconds and the 403s disappear, you are almost certainly dealing with a volumetric block like mod_evasive.
04How DataFlirt handles it
We treat volumetric rate limits as a scheduling constraint, not a bypass challenge. Our pipeline orchestrator maps the target's rate limit thresholds during the discovery phase. We then enforce a token-bucket throttling mechanism per exit node, ensuring that no single IP in our residential pool ever exceeds the DOSSiteCount. If a 403 is encountered, the worker immediately backs off to allow the DOSBlockingPeriod to expire without resetting the timer.
05The "Site vs Page" trap
A common misconception is that crawling different URLs protects you from rate limits. While it avoids the DOSPageCount threshold (which tracks hits to the exact same URI), it still contributes to the DOSSiteCount threshold (which tracks total hits to the domain from your IP). Fetching 50 different product pages in one second will trigger the block just as quickly as fetching the same page 50 times.
// 03 — the thresholds

When does the
block trigger?

mod_evasive uses two distinct volumetric counters. Tripping either one lands your IP in the blacklist. DataFlirt's scheduler models these thresholds to maximize throughput without burning proxy IPs.

Page-level threshold = req_to_URI > DOSPageCount / DOSPageInterval
Default is often 2 requests per 1 second to the exact same URL. mod_evasive core logic
Site-level threshold = req_to_site > DOSSiteCount / DOSSiteInterval
Default is often 50 requests per 1 second across the entire domain. mod_evasive core logic
Block duration = Tblock = DOSBlockingPeriod × consecutive_violations
Continuing to request while blocked resets the timer, extending the ban. Apache configuration
// 04 — the request trace

Tripping the
volumetric wire.

A naive crawler hitting an Apache server without rate limiting. The module detects the burst, updates the hash table, and drops the hammer.

HTTP 403IP BlacklistApache 2.4
edge.dataflirt.io — live
CAPTURED
// worker-01: unthrottled catalog crawl
GET /category/shoes?page=1 200 OK
GET /category/shoes?page=2 200 OK
GET /category/shoes?page=3 200 OK
GET /category/shoes?page=4 200 OK
GET /category/shoes?page=5 200 OK

// mod_evasive: DOSSiteCount exceeded (5 reqs / 1s)
GET /category/shoes?page=6 403 Forbidden
GET /category/shoes?page=7 403 Forbidden

// block timer reset due to continued requests
syslog: "Blacklisting address 192.168.1.45: possible DoS attack."
worker.status: FATAL_BLOCK
action: rotating IP and applying backoff
// 05 — trigger conditions

What fills the
hash table.

mod_evasive doesn't care about your headers, your TLS fingerprint, or your JavaScript execution. It only cares about request velocity from a single IP address.

DEFAULT BLOCK ·  ·  ·  ·  10 seconds
DETECTION ·  ·  ·  ·  ·   IP + URI hash
HTTP STATUS ·  ·  ·  ·    403 Forbidden
01

High concurrency per IP

DOSSiteCount · Fetching multiple pages simultaneously from one exit node
02

Rapid pagination

DOSPageCount · Hitting the same base URI with different query parameters too fast
03

Static asset fetching

Asset bloat · Images and CSS count towards site limits unless excluded
04

Ignoring block periods

Timer reset · Continuing to request during a 403 extends the block indefinitely
05

Shared proxy pools

IP collision · Colliding with other scrapers on the same datacenter IP
// 06 — our approach

Distribute the load,

respect the math.

Bypassing mod_evasive isn't about spoofing fingerprints; it's an exercise in traffic shaping. DataFlirt's pipeline orchestration automatically detects volumetric 403s, pauses the offending worker, and redistributes the URL queue across a wider pool of residential IPs. By enforcing strict token-bucket rate limits per exit node, we keep the request velocity just below the target's configured DOSSiteCount, ensuring continuous extraction without burning proxy reputation.

Traffic shaping config

Worker configuration for an Apache target running strict mod_evasive rules.

target.server Apache/2.4.41
rate_limit.strategy token_bucketactive
max_req_per_ip 2 req / sec
proxy.rotation per_requestresidential
asset.fetching disabledsaves quota
403.backoff 15 seconds

Stay ahead of the pipeline

Data engineering
intel, weekly.

Anti-bot shifts, scraping infrastructure updates, dataset delivery patterns, and business outcomes from our pipelines. Short, technical, no fluff.

By submitting, you acknowledge our Privacy Notice.

// 07 — FAQ

Common
questions.

About volumetric rate limiting, Apache configurations, and how to maintain high extraction speeds without triggering IP blacklists.

Ask us directly →
What is the difference between mod_evasive and Cloudflare? +
Cloudflare uses behavioral analysis, TLS fingerprinting, and JavaScript challenges to determine if a request comes from a bot. mod_evasive is purely volumetric. It doesn't care if you are a real Chrome browser or a Python script; if you make 50 requests in one second from a single IP, you get blocked.
Why am I getting blocked when I only request one HTML page? +
If your scraper is rendering the page (e.g., using Puppeteer or Playwright) and fetching all static assets (images, CSS, JS), each of those fetches counts as a separate request. A single page load might generate 80 requests, instantly tripping the DOSSiteCount threshold. Disable image and CSS loading in your headless browser to avoid this.
How long does a mod_evasive block last? +
The default DOSBlockingPeriod is 10 seconds. However, if you continue to send requests to the server while blocked, mod_evasive resets the timer. A poorly configured scraper that ignores 403s and keeps retrying will effectively ban itself permanently.
Can I bypass mod_evasive by changing my User-Agent? +
No. The module tracks traffic based on the client IP address and the requested URI. Header rotation, cookie clearing, and User-Agent spoofing have zero effect on mod_evasive. The only solutions are IP rotation and request throttling.
How does DataFlirt handle mod_evasive at scale? +
We use distributed crawling. Instead of sending 100 requests per second from one IP, we send 1 request per second from 100 different residential IPs. Our scheduler enforces strict per-IP concurrency limits, ensuring no single node ever approaches the volumetric threshold.
Is it legal to bypass rate limits like mod_evasive? +
Rate limits are technical enforcement mechanisms, often tied to a site's Terms of Service. While accessing public data is generally lawful, aggressively bypassing rate limits to the point of causing server degradation can cross into Computer Fraud and Abuse Act (CFAA) territory or be considered a DoS attack. We strictly adhere to safe concurrency limits to ensure target stability.
$ dataflirt scope --new-project --target=apache-mod_evasive-block READY

Tell us what
to extract.
We do the rest.

20-minute scoping call. Pilot dataset within the week. Production within two. Whether you need a one-off catalogue dump or a continuous feed across millions of records — we scope, build, and operate the pipeline.

Start a pipeline → View pricing
hello@dataflirt.com  ·  Bengaluru  ·  IST  ·  typical reply < 4h
// 08 — keep reading

Related glossary terms

Scraping Errors

HTTP 403 Forbidden

The standard HTTP status code returned when an IP is blacklisted by mod_evasive.

Read →
Network Layer

Rate Limiting

The broader concept of restricting request velocity to protect server resources.

Read →
Network Layer

IP Blacklisting

When a server temporarily or permanently blocks traffic from a specific IP address.

Read →
IP Proxies

Proxy Rotation

The primary method for distributing request volume to avoid volumetric blocks.

Read →