DDoS Question

[QuantumNet]

One of the things I noticed in the attack yesterday was that they used hundreds of IP addresses to all attack the same URL.

If I blocked the URL they just changed the botnet to target a different URL.

CSF Firewall and Litespeed Anti-DoS were not picking this up because of so many different IP addresses.


But what I noticed is that the same IP address would come around and tag it again with say 5 minute intervals.

I wonder would there be a way to detect this type of attack since the same IP keeps hitting the same url within a specific amount of time, without creating false positives to say things like RSS feed readers?

Would this be something litespeed could defend against?

 

[QuantumNet]

During apache bench here is top:

top - 15:43:13 up 1:56, 3 users, load average: 9.18, 4.48, 2.44
Tasks: 36 total, 8 running, 28 sleeping, 0 stopped, 0 zombie
Cpu(s): 79.0%us, 20.9%sy, 0.0%ni, 0.1%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
25916 mysql 15 0 192m 68m 4132 S 97.6 1.7 8:30.02 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/my
3597 apache 18 0 291m 15m 7868 R 3.3 0.4 0:00.10 lsphp5:nmentsecurity.org/public_html/forum/index.p
3600 apache 17 0 291m 16m 8196 R 3.3 0.4 0:00.10 lsphp5:nmentsecurity.org/public_html/forum/index.p
3595 apache 18 0 290m 15m 7900 R 3.0 0.4 0:00.09 lsphp5:nmentsecurity.org/public_html/forum/index.p
3599 apache 17 0 290m 15m 7868 R 3.0 0.4 0:00.09 lsphp5:nmentsecurity.org/public_html/forum/index.p
3601 apache 18 0 290m 15m 7868 R 3.0 0.4 0:00.09 lsphp5:nmentsecurity.org/public_html/forum/index.p
3602 apache 18 0 291m 16m 8196 R 3.0 0.4 0:00.09 lsphp5:nmentsecurity.org/public_html/forum/index.p
3598 apache 18 0 290m 14m 7400 R 2.3 0.4 0:00.07 lsphp5:nmentsecurity.org/public_html/forum/index.p
5140 apache 0 -19 8892 6860 1164 S 2.3 0.2 3:13.20 lshttpd

 

[QuantumNet]

And here is mytop

MySQL on localhost (5.1.48-log) up 0+01:56:40 [15:43:28]
Queries: 23.0 qps: 0 Slow: 0.0 Se/In/Up/De(%): 221330/00/00/00
qps now: 0 Slow qps: 0.0 Threads: 7 ( 2/ 19) 37500/00/00/00
Key Efficiency: 100.0% Bps in/out: 0.1/ 10.9 Now in/out: 8.3/ 1.3k

Id User Host/IP DB Time Cmd Query or State
-- ---- ------- -- ---- --- ----------
6509 da_admin localhost 0 Query show full processlist
7604 ibfgso localhost governme_i 0 Sleep
7605 gso2 localhost governme_g 0 Sleep
7606 ibfgso localhost governme_i 0 Sleep
7607 ibfgso localhost governme_i 0 Sleep
7608 ibfgso localhost governme_i 0 Sleep
7505 gso2 localhost governme_g 5 Sleep

 

[mistwang]

Looks like a MySQL performance issue, as it using 99% CPU, it is not something related to LSWS at all. A few tips to trouble shot this is to check

mysqladmin processlist
mysqladmin extend-status

find out the SQL takes long time, add proper table index if need.

Our advanced anti-DDoS setup (paid service) can utilize Fail2ban to block attacking IP automatically based on LiteSpeed error log files. You can do it yourself.