lslb - http flood - ddos protection

Discussion in 'General' started by Clockwork, Oct 6, 2009.

  1. Clockwork

    Clockwork Member

    Hi,

    it seems lslb is somewhat different than lsws in flood handling:

    Code:
    ["default"] 123.123.123.123 - - [06/Oct/2009:10:02:39 +0200] "GET /images/logo.gif HTTP/1.1" 503 401 "-" "-"
    ["default"] 123.123.123.123 - - [06/Oct/2009:10:02:39 +0200] "GET /images/logo.gif HTTP/1.1" 503 401 "-" "-"
    ["default"] 123.123.123.123 - - [06/Oct/2009:10:02:39 +0200] "GET /images/logo.gif HTTP/1.1" 503 401 "-" "-"
    ["default"] 123.123.123.123 - - [06/Oct/2009:10:02:39 +0200] "GET /images/logo.gif HTTP/1.1" 503 401 "-" "-"
    ["default"] 123.123.123.123 - - [06/Oct/2009:10:02:39 +0200] "GET /images/logo.gif HTTP/1.1" 503 401 "-" "-"
    ["default"] 123.123.123.123 - - [06/Oct/2009:10:02:39 +0200] "GET /images/logo.gif HTTP/1.1" 503 401 "-" "-"
    ["default"] 123.123.123.123 - - [06/Oct/2009:10:02:39 +0200] "GET /images/logo.gif HTTP/1.1" 503 401 "-" "-"
    ["default"] 123.123.123.123 - - [06/Oct/2009:10:02:39 +0200] "GET /images/logo.gif HTTP/1.1" 503 401 "-" "-"
    ["default"] 123.123.123.123 - - [06/Oct/2009:10:02:39 +0200] "GET /images/logo.gif HTTP/1.1" 503 401 "-" "-"
    ["default"] 123.123.123.123 - - [06/Oct/2009:10:02:39 +0200] "GET /images/logo.gif HTTP/1.1" 503 401 "-" "-"
    ["default"] 123.123.123.123 - - [06/Oct/2009:10:02:39 +0200] "GET /images/logo.gif HTTP/1.1" 503 401 "-" "-"
    ["default"] 123.123.123.123 - - [06/Oct/2009:10:02:39 +0200] "GET /images/logo.gif HTTP/1.1" 503 401 "-" "-"
    
    it comes from different IP's, I've just changed those to 123.123.123.123.

    lslb just passes this attack to the backend servers, is there any way to configure lslb to detect and block attacks like this?

    I've already set "Per Client Dyn Reqs/sec" to 2 in the virtual hosts tab, but this doesn't seem to affect static files.
  2. mistwang

    mistwang LiteSpeed Staff

    For LB, all the requests are dynamic as it needs to forward the request to backend server.

    You need to set "Connection Soft Limit" "Connection Hard Limit" to block aggressive IP .
  3. soyturk

    soyturk New Member

    that's true. thank you mistwang.

Share This Page