Multiple 300 second outages - suspect DDoS, running behind reverse PROXY

Discussion in 'General' started by jdamnation, Jul 16, 2013.

  1. jdamnation

    jdamnation New Member

    Hi all,

    All of a sudden, not upgrades or anything - our LSWS has started becoming unavailable for periods of exactly 300 seconds each time.

    The server is located behind a reverse proxy traffic manager (Riverbed Stingray), which means that the 'source IP' that the LSWS sees is that of the traffic manager, not of the actual user.

    So my hunch is that someone is doing something bad to the LSWS service, the Stingray passes it down to the LSWS, and the LSWS somehow blocks this IP - as this is the Stingrays IP - it naturally blocks everyone coming from the Stingray...

    My first question - how can I tell / what log could I check to see if LSWS has invoked some sort of 300 second ban? This is pretty much a default setup - I didn't think such a DoS feature was enabled as default?

    My second question - is it possible to pass the X-FORWARDED-FOR header through to LSWS and get it to read this as the source IP rather than the source IP of our reverse proxy?

    Thanks in advance...

    Cheers,

    JD
  2. NiteWave

    NiteWave Administrator

    maybe it has triggered the anti-ddos setting
    admin console->Server->Security->Banned Period (sec)
    default is 300 seconds(5 minutes)

    you can whitelist the traffic manager's IP, so lsws won't ban it:
    admin console->Server->Security->Allowed List

    the 2nd question,
    admin console->Server->General->Use Client IP in Header
  3. jdamnation

    jdamnation New Member

    Thanks for the reply.

    I see that in allowed IP (whitelist) it's set as ALL - which I think is the default?

    If you have allowed set to 'ALL' - would the anti-DDoS still work?

    Or does this mean the problem is elsewhere?

    The 300 second 'outage' does seem to fit though..

    JD
  4. jdamnation

    jdamnation New Member

    Reading a bit more - it does seem that sticking ALL in the allowed list - allows all but does not mean that ALL is 'trusted' (to bypass DDoS blocker).

    To do this I would also need to specifically enter in the Allowed list the IP of the reverse proxy followed by *T.

    So for example my allowed List would look like this if the reverse proxy has an IP of 192.168.1.10:

    ALL
    192.168.1.10T

    Is this right?

    JD
    Last edited: Jul 16, 2013
  5. NiteWave

    NiteWave Administrator

    yes, looks fine but should use comma instead of space to separate IPs:
    "Syntax: Comma delimited list of IP addresses or sub-networks. A trailing "T" can be used to indicate a trusted IP or sub-network, such as 192.168.1.*T."

Share This Page