Strange DDoS attack
I'm having a strange DDoS attack launched against me. I was having a lot of attacks but my lsws/csf/synd config was always successfully blocked them.
Here is the problem. Via SSH I'm seeing about 100 ip's connected to the server, each of them has max 3 connections to the server(mostly only 1).
My lsws conf:
Static Requests/second: 10
Dynamic Requests/second: 2
Outbound Bandwidth (bytes/sec) 4k
Inbound Bandwidth (bytes/sec) 1k
Connection Soft Limit: 20
Connection Hard Limit: 40
Grace Period (sec) 100
Banned Period (sec): 5000
Max Connections: 1000
Connection Timeout (secs): 15
Max Keep-Alive Requests: 100
Smart Keep-Alive: No
Keep-Alive Timeout (secs): 5
Send Buffer Size (bytes): 0
Receive Buffer Size (bytes): 0
CSF is configured to block each IP with more than 30 connections to the server, synd(by nix101.com) is configured to block each IP with more than 10 SYN_RECV connections but it fails to block the DDoA attack which I'm getting in the last 3 days.
Most of IP addresses are unregistered, I checked at ripe.net and it says 1ANA, does it means an IP is unregistered. How could I block all 1ANA ip's?
Also, I'm not using mod_security at this time. Do I need to install mod_security and then add it into lsws/via lsws admin panel) or lsws has already mod_sec installed so I can just add it into lsws admin panel? All my vHosts are in lsws(not httpd.conf). What mod_security config should I use to block all connections from blank user-agents? If not mod_sec, is there a way to I can block them via htaccess?
I hope I will get some help here, this attacks makes me crazy already.