Support

freeballt · #1 04-17-2012, 12:10 PM

I'm using cloudflare with my litespeed installation and have been getting hit with a DDOS lately. I have the server setup so that it only allows 7 dynamic requests from a user per second. My logs show a number of ips requesting the same file several times a second (over 10). I suspect since I'm using cloudflare and have those IP's whitelisted, that the DDOS ips aren't being blocked.

In addition, is there a way to block IPs without going through the interface, such as using a ssh command?

webizen · #2 04-18-2012, 12:04 PM

http://www.litespeedtech.com/support...ead.php?t=5865

damoncloudflare · #3 04-18-2012, 03:29 PM

Quote:

Originally Posted by freeballt

I'm using cloudflare with my litespeed installation and have been getting hit with a DDOS lately. I have the server setup so that it only allows 7 dynamic requests from a user per second. My logs show a number of ips requesting the same file several times a second (over 10). I suspect since I'm using cloudflare and have those IP's whitelisted, that the DDOS ips aren't being blocked.

In addition, is there a way to block IPs without going through the interface, such as using a ssh command?

Just a quick note that you might want to consider using CloudFlare's DDoS mitigation feature as an option as well (don't know how the large the attack is you're trying to manage).

freeballt · #4 04-19-2012, 01:42 PM

Quote:

Originally Posted by damoncloudflare

Just a quick note that you might want to consider using CloudFlare's DDoS mitigation feature as an option as well (don't know how the large the attack is you're trying to manage).

The 5s wait thing is annoying to my users. Ive had complaints about it.

I limited dynamic requests to 1 a second, and there are NO ips in the temporary ban list. There is obviously a problem with using cloudflare or some other proxy service and ip banning with litespeed.

damoncloudflare · #5 04-19-2012, 01:59 PM

"The 5s wait thing is annoying to my users. Ive had complaints about it."

Do you think there is something we can do to improve the messaging?

freeballt · #6 04-19-2012, 02:05 PM

It's an issue with the message and having to wait 5 seconds. Obviously I don't know what you guys are doing behind the scenes during those 5 seconds, but it makes no sense why you guys would display that message or any prompt (seems unnecessary, or rather advertising).

Having said that, I think if you guys offered a service where we could skin our own captcha page that is well worth a premium subscription.

damoncloudflare · #7 04-19-2012, 02:26 PM

"Having said that, I think if you guys offered a service where we could skin our own captcha page that is well worth a premium subscription."

Being worked on (don't know the account level type that will be offered with yet).

"It's an issue with the message and having to wait 5 seconds. Obviously I don't know what you guys are doing behind the scenes during those 5 seconds, but it makes no sense why you guys would display that message or any prompt (seems unnecessary, or rather advertising)."

Don't think there is an easy solution for the 5 seconds (will mention it). Basically, we're running some checks on the visitor to see if they exhibit behaviors of a botnet or other type of attack (generally have some specific signatures during a DDoS). I'm sure we'll figure out a way to speed it up.

freeballt · #8 04-19-2012, 03:05 PM

Quote:

Originally Posted by damoncloudflare

"Having said that, I think if you guys offered a service where we could skin our own captcha page that is well worth a premium subscription."

Being worked on (don't know the account level type that will be offered with yet).

"It's an issue with the message and having to wait 5 seconds. Obviously I don't know what you guys are doing behind the scenes during those 5 seconds, but it makes no sense why you guys would display that message or any prompt (seems unnecessary, or rather advertising)."

Don't think there is an easy solution for the 5 seconds (will mention it). Basically, we're running some checks on the visitor to see if they exhibit behaviors of a botnet or other type of attack (generally have some specific signatures during a DDoS). I'm sure we'll figure out a way to speed it up.

Perhaps when DDOS mitigation is enabled, all connections are logged and you have something in the background does log parsing. That way the frontend isn't affected and it isn't as intensive or annoying. It's more than likely going to be a repeated attack, so getting them on the first time through isn't really essential, blocking them later down the road is the goal.

I find logs to be helpful during HTTP attacks because you can find out who is attacking what and block the offending ips.

webizen · #9 04-19-2012, 03:35 PM

Quote:

Originally Posted by freeballt

Perhaps when DDOS mitigation is enabled, all connections are logged and you have something in the background does log parsing. That way the frontend isn't affected and it isn't as intensive or annoying. It's more than likely going to be a repeated attack, so getting them on the first time through isn't really essential, blocking them later down the road is the goal.

I find logs to be helpful during HTTP attacks because you can find out who is attacking what and block the offending ips.

Consider Litespeed Advanced Anti-DDoS Setup (https://store.litespeedtech.com/store/cart.php?gid=5)

damoncloudflare · #10 04-19-2012, 04:07 PM

"I find logs to be helpful during HTTP attacks because you can find out who is attacking what and block the offending ips.[/QUOTE]

We should still pass along the IPs to your server (at least if you have the mod for LiteSpeed done).

One other option, at least if you don't like the "I'm Under Attack" mode, is to temporarily turn your security settings to "High" for Basic Security Level & this will challenge more visitors with a captcha.

Are there areas you don't want traffic from? You could also look at blocking rules on your server from countries you don't want to access your site.