How can I mitigate Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks?
LiteSpeed Web Server is capable of reducing and even eliminating the impact of HTTP-level DoS and DDoS
attacks. The following configurations will help against attacks:
1. Under the Configuration > Server > Tuning configurations:
2. Under the Configuration > Server > Security configurations:
Block IPs that abuse your web server by listing them in the Denied List in the Access Control table.
Use Connection Soft Limit, Grace Period, and Banned Period to spot and mitigate abusers. An IP address that stays over the soft limit for the length of the grace period will be banned for a time set in Banned Period. This is a good way to pick out IPs that should be put in the Denied List.
Use Connection Hard Limit to control how many concurrent connections are allowed from one IP address. If an IP reaches the hard connection limit, the web server will immediately close newly accepted connections from that IP address and move on to pending connections from different IP addresses. Nowadays, almost all web browsers support keep-alive (persistant) connections (multiple requests pipelined through one connection), so the number of connections required is very small. Essentially, one connection should be enough, but some web browsers try to establish additional connections to speed up downloading. Allowing 4 to 10 connections from one IP is recommended. Less than that will probably affect normal web services.
Set the Outbound Bandwidth limit. This will allow you to serve more unique clients and stop your limited network bandwidth from getting used up by a couple of clients with fast network connections.
3. If your server is flooded by hundreds of requests from different IPs but to the same URL, you can create a context (Configuration > Virtual Hosts > View/Edit > Context > Add > Type “Static”) to block access to that URL. Set Accesible to “No” and the context URI to match or include the URL being attacked. For example, if the server is pounded with requests for “/foo/bar.html”, then adding a context with Accesible set to “No” and the URI set to “/foo/bar.html” will block all those requests. You can also set the context URI to “/foo/” to block requests to all URLs that start with “/foo/”.