Ddos

Discussion in 'LSWS 4.1 Release' started by myserver24, Jul 5, 2011.

  1. myserver24

    myserver24 New Member

    hello
    we use litespeed 4.1.1 Ent on our centos 5.4 (cpanel) server.
    today this server's load that i monitor , Suddenly got heavy (e.g from 0.55 to 25.14) and all services run away from access.
    also it has csf & lfd , mod_deflate , mod_security.
    when load increase, i check network I/O with iftop but it show RX & TX lower than 500kbps(b=byte).

    i tell this problem to datacenter and they tell we this might a ddos attack.

    now how can i find attacker ip or target of this attack?:confused:
  2. webizen

    webizen New Member

    do 'top' from command line and see which process(es) consume the most resources (cpu cycles, i/o wait, etc) which helps identify the cause of high system load.

    for ddos attack mitigation, refer to this doc http://www.litespeedtech.com/how-tos.html#qa_dos
  3. myserver24

    myserver24 New Member

    i config litespeed with this value:
    Static Requests/second - 10
    Dynamic Requests/second - 2
    Outbound Bandwidth (bytes/sec) - 0
    Inbound Bandwidth (bytes/sec) - 0
    Connection Soft Limit - 20
    Connection Hard Limit - 30
    Grace Period (sec) - 30
    Banned Period (sec) - 3600

    Max Connections : 900
    Connection Timeout (secs) : 15
    Max Keep-Alive Requests : 90
    Smart Keep-Alive : Yes
    Keep-Alive Timeout (secs) : 3

    and but now that problem didn't solve
  4. webizen

    webizen New Member

    Do you see any IP listed in "Anti-DDoS Blocked IP" of real-time stats page of LSWS Admin Console? if none or not many, then your high system load could be caused by something else instead of excessive-established-connection kind of ddos attack.

    Did you run 'top' from command line and see which process(es) consume the most resources (cpu cycles, i/o wait, etc) which helps identify the cause of high system load?
  5. myserver24

    myserver24 New Member

    thank you for replay.
    when load increase, i run "Top" and "aTop" and "hTop" and:
    "ps -eo pid,user,%cpu,%mem,etime,args"

    but all of this tools show that load is heavy and lsphp5 use load then i search user of pid with:
    "ps -ef | grep [PID]"
    but show root in user field.

    what can i do?
  6. myserver24

    myserver24 New Member

    Last edited: Jul 6, 2011
  7. cmanns

    cmanns New Member

  8. webizen

    webizen New Member

    From you admin cp screenshot, your bottleneck seems to be slow php (likely database needs tuning). opcode cache (such as xcache) will also help alleviate the situation.
  9. myserver24

    myserver24 New Member

  10. myserver24

    myserver24 New Member

    thank your for replay,so what should i do to solve this problem?
    please guide me step by step.:confused:

Share This Page