Anti-DDOS Block feature cannot detect this kind of request

Discussion in 'Bug Reports' started by redstrike, Aug 12, 2011.

  1. redstrike

    redstrike Member

    Hi LiteSpeed,

    My site is in heavy load condition now. But the anti-ddos feature does not work efficiently.

    The attachment is my log file. It seem that LiteSpeed cannot detect the IP 113.163.80.152 as the ddos IP.

    LiteSpeed is a great webserver, i hope you can improve the Anti-DDOS Block feature. I suggest the feature to add the denied IPs without tell us to restart LiteSpeed.

    Thanks.

    Attached Files:

    • log.zip
      File size:
      6.4 KB
      Views:
      7
  2. NiteWave

    NiteWave Administrator

    what's your anti-ddos settings?
  3. redstrike

    redstrike Member

    Hello NiteWave,

    You mean settings of Per Client Throttling ?

    Code:
    Static Requests/second:		10
    Dynamic Requests/second:		5
    Outbound Bandwidth (bytes/sec):	256K
    Inbound Bandwidth (bytes/sec):	0
    Connection Soft Limit:		5
    Connection Hard Limit:		15
    Grace Period (sec):		15
    Banned Period (sec):		900
  4. webizen

    webizen New Member

    Please extract the entries related to 113.163.80.152 from your access and error logs for us to look.

  5. redstrike

    redstrike Member

    I have attached the logs at the first post. That's all i have. I think the IP 113.163.80.152 tried to attack my site or cheating our views counter. I think the buit-in Anti-DDOS feature of LiteSpeed should treat it like an attacker. But it doesn't
  6. webizen

    webizen New Member

    If the IP never shows up in these logs, LiteSpeed will not capture it. How did you know the IP is attacking the site? You must have something else to show.
  7. redstrike

    redstrike Member

    Here is all i have. I don't know what is your meaning? That is IP 113.163.80.152 show up with a lot of requests like below:

    2011-08-12 16:22:38.675 INFO [113.163.80.152:41353-0#vn2rap.com] File not found [/home/vn2rap/domains/vn2rap.com/public_html/m/#home]
    2011-08-12 16:22:40.818 INFO [113.163.80.152:42603-0#vn2rap.com] File not found [/home/vn2rap/domains/vn2rap.com/public_html/m/#play,20213,di_luon_di_(ft._spu._pe_spy,_red).v2r]
  8. webizen

    webizen New Member

    According to your attached log, IP 113.163.80.152 pulls these two URLs (only) every 5 seconds, respectively. That rate (0.4 requests/second) is way below your current Per Client Throttling limits. You can manually add that IP to Denied List or order our advanced anti-ddos services for automate blockage.

    Code:
    Static Requests/second:		10
    Dynamic Requests/second:		5
    Outbound Bandwidth (bytes/sec):	256K
    Inbound Bandwidth (bytes/sec):	0
    Connection Soft Limit:		5
    Connection Hard Limit:		15
    Grace Period (sec):		15
    Banned Period (sec):		900
    
  9. redstrike

    redstrike Member

    Although i have read the tips so many time, I quite don't understand the terms "Static" vs "Dynamic" Requests/second. Can you explain me more? which kind of request is static or dynamic? Can you give me some examples from the log which i shared?

    Is Inbound Banwidth affect the upload of user? Or my site will be better if i set it to 1K (my site doesn't allow user to upload their content)
  10. webizen

    webizen New Member

    see descriptions at:

    http://www.litespeedtech.com/docs/webserver/config/security/#staticReqPerSec
    http://www.litespeedtech.com/docs/webserver/config/security/#dynReqPerSec

    static content is the resource delivered to user exactly as stored on server such as jpg, gif, html, js files.

    dynamic content (dynamically generated content) is generated by web application. the following (index.php) from your log is dynamic. the rest are hard to tell since they don't exist ("File not found") on server.

    Inbound Bandwidth is for throttling user upload. "0" means no limit. if your site does not allow upload, it doesn't really make difference to set it at 1K or 0.
    Last edited: Aug 13, 2011

Share This Page