Strange DDoS attack

Discussion in 'General' started by Markovic, Aug 14, 2009.

  1. Markovic

    Markovic New Member

    Hello,

    I'm having a strange DDoS attack launched against me. I was having a lot of attacks but my lsws/csf/synd config was always successfully blocked them.

    Here is the problem. Via SSH I'm seeing about 100 ip's connected to the server, each of them has max 3 connections to the server(mostly only 1).

    My lsws conf:
    Static Requests/second: 10
    Dynamic Requests/second: 2
    Outbound Bandwidth (bytes/sec) 4k
    Inbound Bandwidth (bytes/sec) 1k
    Connection Soft Limit: 20
    Connection Hard Limit: 40
    Grace Period (sec) 100
    Banned Period (sec): 5000
    Max Connections: 1000
    Connection Timeout (secs): 15
    Max Keep-Alive Requests: 100
    Smart Keep-Alive: No
    Keep-Alive Timeout (secs): 5
    Send Buffer Size (bytes): 0
    Receive Buffer Size (bytes): 0

    CSF is configured to block each IP with more than 30 connections to the server, synd(by nix101.com) is configured to block each IP with more than 10 SYN_RECV connections but it fails to block the DDoA attack which I'm getting in the last 3 days.

    Most of IP addresses are unregistered, I checked at ripe.net and it says 1ANA, does it means an IP is unregistered. How could I block all 1ANA ip's?

    Also, I'm not using mod_security at this time. Do I need to install mod_security and then add it into lsws/via lsws admin panel) or lsws has already mod_sec installed so I can just add it into lsws admin panel? All my vHosts are in lsws(not httpd.conf). What mod_security config should I use to block all connections from blank user-agents? If not mod_sec, is there a way to I can block them via htaccess?

    I hope I will get some help here, this attacks makes me crazy already.

    Thanks
  2. mistwang

    mistwang LiteSpeed Staff

    For this kind attack, each IP will not hit the limit in order to ban it.
    you may have to do some access log analysis.
    Say, find and block top 'n' IPs that access the same URL in the last 'n' minutes.
  3. Markovic

    Markovic New Member

    What's about mod_securing and blocking blank user agents?

    How I can use mod_security with lsws(without apache and httpd.conf)?
  4. Markovic

    Markovic New Member

    A friend of mine got an interesting idea and I would like to know is it possible?
    If I put the password at /home/mysite/public_html, would DDoS attack still affect it? Could someone confirm it?

    Thanks
  5. mistwang

    mistwang LiteSpeed Staff

    To stop a DDoS attack, you have to some how identify the source of the attack, and block them at firewall.

Share This Page