diff --git a/mig/install/apache-MiG-template.conf b/mig/install/apache-MiG-template.conf
index 86ea19fbb..8e2d01747 100644
--- a/mig/install/apache-MiG-template.conf
+++ b/mig/install/apache-MiG-template.conf
@@ -181,6 +181,21 @@ Alias /status-events.json "__MIG_STATE__/wwwpublic/status-events.json"
     </FilesMatch>
 </IfModule>
 
+# Optional DDoS protection with conservative request limits
+<IfModule mod_evasive20.c>
+    DOSPageCount 5
+    DOSSiteCount 50
+    DOSPageInterval 1
+    DOSSiteInterval 1
+    DOSHashTableSize 32768
+    DOSBlockingPeriod 300
+    DOSEmailNotify __EVASIVE_DOSEMAILNOTIFY__
+
+    # Never block localhost and optionally any registered security scanners
+    DOSWhitelist 127.0.0.1/8
+    __EVASIVE_ALLOW_SECSCAN_COMMENTED__ DOSWhitelist __SECSCAN_ADDR__
+</IfModule>
+
 <IfModule mod_mime.c>
     # NOTE: workaround for broken double gzip decompression e.g. in Firefox.
     #       The bam files are in fact already gzip files and require care:
diff --git a/mig/install/apache-mimic-deb-template.conf b/mig/install/apache-mimic-deb-template.conf
index 7865f0217..f144d590d 100644
--- a/mig/install/apache-mimic-deb-template.conf
+++ b/mig/install/apache-mimic-deb-template.conf
@@ -80,6 +80,9 @@ __JUPYTER_COMMENTED__ LoadModule lbmethod_byrequests_module modules/mod_lbmethod
 # Optional Header mangling if requested (for HSTS)
 __HSTS_COMMENTED__ LoadModule headers_module modules/mod_headers.so
 
+# Optional DDoS protection if requested (for mod evasive)
+__EVASIVE_COMMENTED__ LoadModule evasive20_module modules/mod_evasive20.so
+
 # Apparently we need this mime setup on Redhat to just run apache
 TypesConfig /etc/mime.types
 MIMEMagicFile conf/magic
diff --git a/mig/install/generateconfs.py b/mig/install/generateconfs.py
index 411af14b3..10585eedc 100755
--- a/mig/install/generateconfs.py
+++ b/mig/install/generateconfs.py
@@ -280,6 +280,7 @@ def main(argv, _generate_confs=generate_confs, _print=print):
         'enable_cloud',
         'enable_gdp',
         'enable_hsts',
+        'enable_evasive',
         'enable_vhost_certs',
         'enable_verify_certs',
         'enable_seafile',
diff --git a/mig/shared/install.py b/mig/shared/install.py
index 92a1ab997..39ef959c0 100644
--- a/mig/shared/install.py
+++ b/mig/shared/install.py
@@ -382,6 +382,7 @@ def generate_confs(
     enable_jupyter=False,
     enable_cloud=False,
     enable_hsts=True,
+    enable_evasive=False,
     enable_vhost_certs=False,
     enable_verify_certs=False,
     enable_seafile=False,
@@ -708,6 +709,7 @@ def _generate_confs_prepare(
     enable_jupyter,
     enable_cloud,
     enable_hsts,
+    enable_evasive,
     enable_vhost_certs,
     enable_verify_certs,
     enable_seafile,
@@ -964,6 +966,8 @@ def _generate_confs_prepare(
     user_dict['__ENABLE_JUPYTER__'] = "%s" % enable_jupyter
     user_dict['__ENABLE_CLOUD__'] = "%s" % enable_cloud
     user_dict['__ENABLE_HSTS__'] = "%s" % enable_hsts
+    user_dict['__ENABLE_EVASIVE__'] = "%s" % enable_evasive
+    user_dict['__EVASIVE_DOSEMAILNOTIFY__'] = keyword_auto
     user_dict['__ENABLE_VHOST_CERTS__'] = "%s" % enable_vhost_certs
     user_dict['__ENABLE_VERIFY_CERTS__'] = "%s" % enable_verify_certs
     user_dict['__ENABLE_SEAFILE__'] = "%s" % enable_seafile
@@ -1356,6 +1360,18 @@ def _generate_confs_prepare(
     else:
         user_dict['__HSTS_COMMENTED__'] = '#'
 
+    # Enable DDoS protection with mod_evasive only if explicitly requested
+    user_dict['__EVASIVE_ALLOW_SECSCAN_COMMENTED__'] = '#'
+    if user_dict['__ENABLE_EVASIVE__'].lower() == 'true':
+        user_dict['__EVASIVE_COMMENTED__'] = ''
+        if user_dict['__SECSCAN_ADDR__']:
+            user_dict['__EVASIVE_ALLOW_SECSCAN_COMMENTED__'] = ''
+    else:
+        user_dict['__EVASIVE_COMMENTED__'] = '#'
+
+    if user_dict['__EVASIVE_DOSEMAILNOTIFY__'] == keyword_auto:
+        user_dict['__EVASIVE_DOSEMAILNOTIFY__'] = admin_email
+
     # Enable vhost-specific certificates only if explicitly requested
     if user_dict['__ENABLE_VHOST_CERTS__'].lower() == 'true':
         user_dict['__VHOSTCERTS_COMMENTED__'] = ''
diff --git a/tests/fixture/confs-stdlocal/MiG.conf b/tests/fixture/confs-stdlocal/MiG.conf
index 8bcd6055a..7af846bda 100644
--- a/tests/fixture/confs-stdlocal/MiG.conf
+++ b/tests/fixture/confs-stdlocal/MiG.conf
@@ -181,6 +181,21 @@ Alias /status-events.json "/home/mig/state/wwwpublic/status-events.json"
     </FilesMatch>
 </IfModule>
 
+# Optional DDoS protection with conservative request limits
+<IfModule mod_evasive20.c>
+    DOSPageCount 5
+    DOSSiteCount 50
+    DOSPageInterval 1
+    DOSSiteInterval 1
+    DOSHashTableSize 32768
+    DOSBlockingPeriod 300
+    DOSEmailNotify mig
+
+    # Never block localhost and optionally any registered security scanners
+    DOSWhitelist 127.0.0.1/8
+    #DOSWhitelist UNSET
+</IfModule>
+
 <IfModule mod_mime.c>
     # NOTE: workaround for broken double gzip decompression e.g. in Firefox.
     #       The bam files are in fact already gzip files and require care:
diff --git a/tests/fixture/confs-stdlocal/mimic-deb.conf b/tests/fixture/confs-stdlocal/mimic-deb.conf
index 062f0f719..d9947a54b 100644
--- a/tests/fixture/confs-stdlocal/mimic-deb.conf
+++ b/tests/fixture/confs-stdlocal/mimic-deb.conf
@@ -80,6 +80,9 @@ LoadModule wsgi_module modules/mod_wsgi.so
 # Optional Header mangling if requested (for HSTS)
 LoadModule headers_module modules/mod_headers.so
 
+# Optional DDoS protection if requested (for mod evasive)
+#LoadModule evasive20_module modules/mod_evasive20.so
+
 # Apparently we need this mime setup on Redhat to just run apache
 TypesConfig /etc/mime.types
 MIMEMagicFile conf/magic