Support

mistwang · #21 01-21-2009, 02:29 PM

The best way to deal with bot net is combine LiteSpeed with firewall like iptables, when you set connection soft/hard limit properly, litepseed will log those IP that reaches those limits, those IPs are mostly member of the bot net or people trying to abuse your server. LiteSpeed does block them automatically, however, block them at firewall is better.

A script called "fail2ban" is nice tool which can automate this for you. it can parse the LiteSpeed log file and extract offending IPs, block them automatically. CSF has similar feature, what you need to do is to configure a regular expression to match log entry.

Bono · #22 01-21-2009, 02:33 PM

Quote:

Originally Posted by anewday

What did you set for connection soft, hard and grace period? How many IPs are attacking and how big? I hope you have a firewall installed to block the offenders.

My site got hit with a ddos from 20 different IPs 2 weeks ago and the forum was still running fine with load of 15, though it was slower than normal. Server is a Xeon 3060 with 3GB of memory. Mysql on a separate drive.

I have returned this value to default PHP_LSAPI_CHILDREN=35, it works better now, ddos is not so hard.

Yes, i have firewall but in this case it doesn't help much, connection soft limit is 30, and hard 50. Dynamic Requests/second is 2 and static 20.
On my site during hardest attack was 1400 people online. We got almost the same server.

But with dynamic and static values it looks like load is higher, atm is around 8.

mistwang · #23 01-21-2009, 02:41 PM

Under attack, you can try
connection soft limit 10, and hard 30. Dynamic Requests/second is 1 and static 20.
Under normal condition, use your current limit.

anewday · #24 01-21-2009, 02:46 PM

What about the grace period? Your soft and hard limits are too high for a ddos-prone server.

Bono · #25 01-21-2009, 02:50 PM

Quote:

Originally Posted by mistwang

The best way to deal with bot net is combine LiteSpeed with firewall like iptables, when you set connection soft/hard limit properly, litepseed will log those IP that reaches those limits, those IPs are mostly member of the bot net or people trying to abuse your server. LiteSpeed does block them automatically, however, block them at firewall is better.

A script called "fail2ban" is nice tool which can automate this for you. it can parse the LiteSpeed log file and extract offending IPs, block them automatically. CSF has similar feature, what you need to do is to configure a regular expression to match log entry.

Do you have any tip how can i do that with CSF? Usually i cought attackers with this tool http://nix101.com/category/antiddos/ but this time they are not using SYN FLOOD.

Quote:

top - 00:43:48 up 88 days, 16:34, 1 user, load average: 1.16, 1.23, 2.05
Tasks: 131 total, 6 running, 125 sleeping, 0 stopped, 0 zombie
Cpu(s): 10.6% us, 10.6% sy, 30.7% ni, 48.2% id, 0.0% wa, 0.0% hi, 0.0% si
Mem: 4151296k total, 4060148k used, 91148k free, 226148k buffers
Swap: 2040212k total, 144k used, 2040068k free, 3035552k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
15666 mysql 10 -5 525m 369m 3768 S 35.8 9.1 12504:02 mysqld
32390 nobody 17 1 276m 12m 9752 R 32.8 0.3 0:08.90 lsphp5
32393 nobody 17 1 276m 13m 11m R 15.9 0.3 0:05.60 lsphp5
32394 nobody 17 1 276m 12m 9.9m R 14.9 0.3 0:08.25 lsphp5

Load looks better after applying those settings, just i dont know if it was because of settings or ddoser stopped the attack. I guess i will find out soon enough.

anewday · #26 01-24-2009, 11:01 AM

So, how did it go later?

Bono · #27 01-24-2009, 12:40 PM

Quote:

Originally Posted by anewday

So, how did it go later?

It is quiet now, DDOS attack is over and i switched to new server Xeon 3220 with 4GB of ram.

one last question is it possible to run PHP as user but without PHP suEXEC enabled? If i enable suEXEC then Xcache doesn't work, but i would like to have both if possible like on apache.