Support

anewday · #31 10-08-2009, 07:58 PM

What are the specs of the quad core server?

felosi · #32 10-08-2009, 09:05 PM

If it is getting GET attacks you should really try BARF. It works good, you just have to manually specify the requests the attackers are made. Sometimes they will change them when they realize whats going on but I handle 5 servers with sites getting ddosed all the time and I am able to keep up with them on at least 2 sites I can think of now.

Eventually when i find the right programmer I am going to get it programmed where it detects and blocks on ANY reptitive GET. Now that will be cool. I think you would still have to specify domain to watch for because it would just be too much for it to be checking all domlogs at once.

With BARF, SYND, Csf w/connection tracking and litespeed with proper settings you can pretty much handle anything that gets by your network filters as long as it doesnt consume your pipe.

But there is one bad thing about litespeed I noticed. For example for a lot of these attacking bots they was not giving user agent so we added some mod sec and rewrite rules to stop this. Now all attacking bots get a 403 yet it is totally draining my bandwidth as if it was really getting the image. I think Ill make a post about this here somewhere. Has anyone else noticed this? Also even though attacking bots are getting 403 the lsphp and lshttpd processes are going crazy. I guess where its all based on php - the error pages and all.

anewday · #33 10-08-2009, 10:06 PM

What's SYND? Could you share those modsec and rewrite rules?

MikeDVB · #34 10-09-2009, 11:09 AM

Quote:

Originally Posted by anewday

What are the specs of the quad core server?

Just a 2.4ghz Quad with 4gb ram but the storage was network attached SCSI (so it could keep up).

Bono · #35 10-13-2009, 07:56 AM

Quote:

Originally Posted by felosi

If it is getting GET attacks you should really try BARF. It works good, you just have to manually specify the requests the attackers are made. Sometimes they will change them when they realize whats going on but I handle 5 servers with sites getting ddosed all the time and I am able to keep up with them on at least 2 sites I can think of now.

Eventually when i find the right programmer I am going to get it programmed where it detects and blocks on ANY reptitive GET. Now that will be cool. I think you would still have to specify domain to watch for because it would just be too much for it to be checking all domlogs at once.

With BARF, SYND, Csf w/connection tracking and litespeed with proper settings you can pretty much handle anything that gets by your network filters as long as it doesnt consume your pipe.

But there is one bad thing about litespeed I noticed. For example for a lot of these attacking bots they was not giving user agent so we added some mod sec and rewrite rules to stop this. Now all attacking bots get a 403 yet it is totally draining my bandwidth as if it was really getting the image. I think Ill make a post about this here somewhere. Has anyone else noticed this? Also even though attacking bots are getting 403 the lsphp and lshttpd processes are going crazy. I guess where its all based on php - the error pages and all.

This is probably related to my post
http://www.litespeedtech.com/support...ead.php?t=3387

Please check which process is overloading your server, on my server system cannot find files and it takes most of the resources and overloads the server.