Support

-KaaL- · #1 06-25-2009, 09:31 AM

Hello,

I am planning to buy LiteSpeed Enterprise for my server.
But i would just like to make sure it would be worth the price.

I am currently using the Trial Version ..
Linux CentOS 32bit with DA

I just want to get the right setting..
I have followed most of the threads.. including http://www.litespeedtech.com/how-tos.html#qa_dos

But just didnt know how to mitigate attacks from different IPs.

I read the last point there about General Context. But i didnt understand that part..

I have posted an image of a log of an attack i experience..

Thank you,
Arvind.

mistwang · #2 06-25-2009, 09:43 AM

Just limit the number of connections from each IP, LSWS will block IP that abuse the server automatically, no need to do anything extra unless you are hitting by a botnet with hundreds or thousands zombies.

-KaaL- · #3 06-25-2009, 09:45 AM

I havent posted the whole log.
Its well over UNIQUE 500 bots.
And this log has some consecutive IPs
I expect attacks with all unique IPs like a pack of 500 attacking one after the other..

mistwang · #4 06-25-2009, 09:50 AM

It does not matter, as long as the bot acts aggressively like the status page you posted, all of them will be blocked in short time once hit the connection limits.

-KaaL- · #5 06-25-2009, 11:47 AM

Static Requests/second - 25
Dynamic Requests/second - 10
Outbound Bandwidth (bytes/sec) - 0
Inbound Bandwidth (bytes/sec) - 0
Connection Soft Limit - 400
Connection Hard Limit - 500
Grace Period (sec) - 15
Banned Period (sec) - 300

Max Connections : 500
Connection Timeout (secs) : 60
Max Keep-Alive Requests : 90
Smart Keep-Alive : Yes
Keep-Alive Timeout (secs) : 3

Are these settings fine ?

anewday · #6 06-25-2009, 12:00 PM

Quote:

Originally Posted by -KaaL-

Static Requests/second - 25
Dynamic Requests/second - 10
Outbound Bandwidth (bytes/sec) - 0
Inbound Bandwidth (bytes/sec) - 0
Connection Soft Limit - 400
Connection Hard Limit - 500
Grace Period (sec) - 15
Banned Period (sec) - 300

Max Connections : 500
Connection Timeout (secs) : 60
Max Keep-Alive Requests : 90
Smart Keep-Alive : Yes
Keep-Alive Timeout (secs) : 3

Are these settings fine ?

How often do you get hit with a ddos? Your settings are not aggressive. Start with these:

Static Requests/second - 10
Dynamic Requests/second - 2
Outbound Bandwidth (bytes/sec) - 0
Inbound Bandwidth (bytes/sec) - 0
Connection Soft Limit - 20
Connection Hard Limit - 30
Grace Period (sec) - 30
Banned Period (sec) - 3600

Max Connections : 900
Connection Timeout (secs) : 15
Max Keep-Alive Requests : 90
Smart Keep-Alive : Yes
Keep-Alive Timeout (secs) : 3

-KaaL- · #7 06-25-2009, 12:01 PM

DDoS attacks are very frequent.
Got a lot of haters lol..

Ok I have changed to those settings.
Any other settings that would be required ?

anewday · #8 06-25-2009, 12:04 PM

I adjusted the settings above again, should be able to mitigate very powerful attacks.

Keep us posted on how it goes.

-KaaL- · #9 06-25-2009, 12:27 PM

well... some scripts that use AJAX wont load fast..
can you put some exclusion rules to some scripts for a particular domain or something..

felosi · #10 06-25-2009, 11:54 PM

Well what you have here is a classic get attack. I suppose the site is a php/mysql site? The goal of such attack is resource exhaustion, they can be difficult to mitigate but it can be done.

What I first recommend is csf firewall with connection tracking features on, you wanna make a ct_limit of about 25-60 depending on how many connections most legit users make. Then make the ban permanent - ct_perm to 1. Then turn on the mod_security failure blocking.

After you configure all that then include a good mod_security ruleset like the one from gotroot.com. I actually just made an article on my blog with a trimmed down ruleset - http://nix101.com/2009/06/25/light-m...urity-ruleset/
This will block bad and empty user agents.

Then set your litespeed settings as suggested above. I usually keep the connection limits to 5 soft, 15 hard. And even lower if needed but be careful legit users may start getting banned. It also has a lot to do with the sites as well. If they have a lot of images and other things to load it will have more requests per second as well as connections. Optimizing your site will help as well.

Then if all else fails, tail your access_log and see if you see a pattern with the user_agent like if they are all using the same user_agent. Get that and google it to see if it is a legit one, if not then just edit one of the mod_security rules for user_agents and put that one in there. Or use iptables string match to get it.

Then if all else fails try a click to enter page, a simple html page with enter link, If the attacker modifies their attack to go directly to index.php or whatever then you will be fighting a losing war and it is time to think about getting some ddos protection somewhere that has one of the click or captcha pages at the router.

Hope all this helps, good luck