Ddos

[myserver24]

hello
we use litespeed 4.1.1 Ent on our centos 5.4 (cpanel) server.
today this server's load that i monitor , Suddenly got heavy (e.g from 0.55 to 25.14) and all services run away from access.
also it has csf & lfd , mod_deflate , mod_security.
when load increase, i check network I/O with iftop but it show RX & TX lower than 500kbps(b=byte).

i tell this problem to datacenter and they tell we this might a ddos attack.

now how can i find attacker ip or target of this attack?

[webizen]

do 'top' from command line and see which process(es) consume the most resources (cpu cycles, i/o wait, etc) which helps identify the cause of high system load.

for ddos attack mitigation, refer to this doc http://www.litespeedtech.com/how-tos.html#qa_dos

[myserver24]

i config litespeed with this value:
Static Requests/second - 10
Dynamic Requests/second - 2
Outbound Bandwidth (bytes/sec) - 0
Inbound Bandwidth (bytes/sec) - 0
Connection Soft Limit - 20
Connection Hard Limit - 30
Grace Period (sec) - 30
Banned Period (sec) - 3600

Max Connections : 900
Connection Timeout (secs) : 15
Max Keep-Alive Requests : 90
Smart Keep-Alive : Yes
Keep-Alive Timeout (secs) : 3

and but now that problem didn't solve

[webizen]

Do you see any IP listed in "Anti-DDoS Blocked IP" of real-time stats page of LSWS Admin Console? if none or not many, then your high system load could be caused by something else instead of excessive-established-connection kind of ddos attack.

Did you run 'top' from command line and see which process(es) consume the most resources (cpu cycles, i/o wait, etc) which helps identify the cause of high system load?

[myserver24]

Quote:

Originally Posted by webizen

Do you see any IP listed in "Anti-DDoS Blocked IP" of real-time stats page of LSWS Admin Console? if none or not many, then your high system load could be caused by something else instead of excessive-established-connection kind of ddos attack.

Did you run 'top' from command line and see which process(es) consume the most resources (cpu cycles, i/o wait, etc) which helps identify the cause of high system load?

thank you for replay.
when load increase, i run "Top" and "aTop" and "hTop" and:
"ps -eo pid,user,%cpu,%mem,etime,args"

but all of this tools show that load is heavy and lsphp5 use load then i search user of pid with:
"ps -ef | grep [PID]"
but show root in user field.

what can i do?

[myserver24]

i attached my admin console snapshot and the total request of a domain increase suddenly and also my load increase, too.

link of image:
http://www.mediafire.com/?yoel674s2nylqyy

[cmanns]

Quote:

Originally Posted by myserver24

i attached my admin console snapshot and the total request of a domain increase suddenly and also my load increase, too.

link of image:
http://www.mediafire.com/?yoel674s2nylqyy

Try something like this

http://uploadpla.net/files/6686_m098...php-config.png

enable more child's if you got like one busy vhost but not to what you got it.

Then enable XCache

[webizen]

Quote:

Originally Posted by myserver24

i attached my admin console snapshot and the total request of a domain increase suddenly and also my load increase, too.

link of image:
http://www.mediafire.com/?yoel674s2nylqyy

From you admin cp screenshot, your bottleneck seems to be slow php (likely database needs tuning). opcode cache (such as xcache) will also help alleviate the situation.

[myserver24]

Quote:

Originally Posted by cmanns

Try something like this

http://uploadpla.net/files/6686_m098...php-config.png

enable more child's if you got like one busy vhost but not to what you got it.

Then enable XCache

thank you for replay, i will test above setting and replay result.

[myserver24]

Quote:

Originally Posted by webizen

From you admin cp screenshot, your bottleneck seems to be slow php (likely database needs tuning). opcode cache (such as xcache) will also help alleviate the situation.

thank your for replay,so what should i do to solve this problem?
please guide me step by step.