Dyn Reqs/s throttling issue

[morbic]

Hi all,

I'm happy member of LiteSpeed standard edition since few years, however now I'm facing some configuration issues.

Does dynamic requests throttling per second work in Standard edition? I didn't find any information that it shouldn't, however - it doesn't seem to.

I'm hosting a website with really heavy and unoptimized SQL queries to big database. Noone optimizes them, because the new website is being created. However we're facing at the moment some easy DoS attack. Attacker sends several (!) GET requests to /index.php per second and this way access for other users is being successfully cut by hanging MySQL connection with waiting or (being executed) queries.

I've set dynamic requests limit to 1/sec on vhost level (on server level it is set to 2), but looks like LS doesn't apply that limit. I cannot block it with iptables, because there is static content (images/css) served as well.
How should I solve the problem? Is it a bug, or just disabled feature which isn't just described as disabled in std version?

Here's a short piece of access.log:

Code:

X.X.X.X - - [23/Jan/2012:14:34:51 +0100] "GET / HTTP/1.0" 200 - "-" "-" "www.mydomain.com"
X.X.X.X - - [23/Jan/2012:14:34:51 +0100] "GET / HTTP/1.0" 200 - "-" "-" "www.mydomain.com"
X.X.X.X - - [23/Jan/2012:14:34:51 +0100] "GET / HTTP/1.0" 200 - "-" "-" "www.mydomain.com"
X.X.X.X - - [23/Jan/2012:14:34:51 +0100] "GET / HTTP/1.0" 200 - "-" "-" "www.mydomain.com"
X.X.X.X - - [23/Jan/2012:14:34:51 +0100] "GET / HTTP/1.0" 200 - "-" "-" "www.mydomain.com"
X.X.X.X - - [23/Jan/2012:14:34:51 +0100] "GET / HTTP/1.0" 200 - "-" "-" "www.mydomain.com"
X.X.X.X - - [23/Jan/2012:14:34:51 +0100] "GET / HTTP/1.0" 200 - "-" "-" "www.mydomain.com"
X.X.X.X - - [23/Jan/2012:14:34:51 +0100] "GET / HTTP/1.0" 200 - "-" "-" "www.mydomain.com"
X.X.X.X - - [23/Jan/2012:14:34:51 +0100] "GET / HTTP/1.0" 200 - "-" "-" "www.mydomain.com"
X.X.X.X - - [23/Jan/2012:14:34:51 +0100] "GET / HTTP/1.0" 200 - "-" "-" "www.mydomain.com"
X.X.X.X - - [23/Jan/2012:14:34:51 +0100] "GET / HTTP/1.0" 200 - "-" "-" "www.mydomain.com"
X.X.X.X - - [23/Jan/2012:14:34:51 +0100] "GET / HTTP/1.0" 200 - "-" "-" "www.mydomain.com"
X.X.X.X - - [23/Jan/2012:14:34:51 +0100] "GET / HTTP/1.0" 200 - "-" "-" "www.mydomain.com"
X.X.X.X - - [23/Jan/2012:14:34:51 +0100] "GET / HTTP/1.0" 200 - "-" "-" "www.mydomain.com"

LS version: 4.1.8 std

Thank you for your help!

[webizen]

you should set connection limit to block the IP over the connection limit. request rate throttling does NOT block the IP over the limit BUT defer the serving.

[morbic]

Thank you for your answer!

Yes, you're right I could limit the connections with connection limit, I didn't think about it. But it still doesn't solve the problem. Correct me if I'm wrong, but connection limit includes also static requests - so I should set it to about 5-10 to let the browser download all static content as well. But still 5-10 dynamic requests per second (+ all regular from other IPs) may sometimes kill the website.

And if I understand dyn reqs throttling correctly, with 10 GET / requests, it should throttle it with my settings for 10 seconds (1 request / sec). However I noticed, that all of them are executed immediately (simultaneously). Is that correct?

Thank you!

[webizen]

connection limit is independent from request/bandwidth rate. i.e. you can have 1 connection from an IP doing 10 req/sec which is still counted as 1 connection.

your understanding of dyn reqs throttling is correct. 10 GET / request should be throttled and get served in ~10 secs not 1 sec. server log only records a request's arrival time not the time be served. maybe that causes the confusion.