403s and bandwidth still being used

Discussion in 'General' started by felosi, Oct 9, 2009.

  1. felosi

    felosi Well-Known Member

    As I stated in this thread - http://www.litespeedtech.com/support/forum/showpost.php?p=17132&postcount=31
    I notice that when a site is being attacked, we have the user agent or whatever blocked on the server level via modsec or rewrite in .htaccess it still consumes lots of bandwidth and resources as if it was really getting the image.

    Here is one example. These guys been under attack over a month now from a very determined idiot. We have blocked empty user agent, direct requests to images, etc and all bots do get a 403 yet there is still a great deal of bandwidth and resource usage.

    Here is an excerpt from access domlog:
    Code: - - [08/Oct/2009:14:50:04 -0700] "GET /images/parts/b01_rename.jpg HTTP/1.1" 403 483 "-" "-" - - [08/Oct/2009:14:50:04 -0700] "GET /images/parts/b01_rename.jpg HTTP/1.1" 403 483 "-" "-" - - [08/Oct/2009:14:50:04 -0700] "GET /images/parts/b01_rename.jpg HTTP/1.1" 403 483 "-" "-" - - [08/Oct/2009:14:50:04 -0700] "GET /images/parts/b01_rename.jpg HTTP/1.1" 403 483 "-" "-" - - [08/Oct/2009:14:50:04 -0700] "GET /images/parts/b01_rename.jpg HTTP/1.1" 403 483 "-" "-" - - [08/Oct/2009:14:50:04 -0700] "GET /images/parts/b01_rename.jpg HTTP/1.1" 403 483 "-" "-" - - [08/Oct/2009:14:50:04 -0700] "GET /images/parts/b01_rename.jpg HTTP/1.1" 403 483 "-" "-" - - [08/Oct/2009:14:50:04 -0700] "GET /images/parts/b01_rename.jpg HTTP/1.1" 403 483 "-" "-" - - [08/Oct/2009:14:50:04 -0700] "GET /images/parts/b01_rename.jpg HTTP/1.1" 403 483 "-" "-" - - [08/Oct/2009:14:50:04 -0700] "GET /images/parts/b01_rename.jpg HTTP/1.1" 403 483 "-" "-"

    As you can see all are being blocked with 403. When I check the processes this user is using all their lsphp processes at very high cpu usage. These are only requests at that time - no legit users.

    IN litespeed admin it will show like 1500 or so requests in processing, none coming through though. But server load is fairly high and the lshttpd processes are running at high cpu as well.

    Now here is the kicker, We have been blocking like this since we moved to this server. I have even been running my barf script to firewall the ips making the requests. Here is the bandwidth usage since the first of the month:
    strategy user.com 1034.79 Gig 1059622.61 M 1953.13 Gig

    I suppose at times some successful requests were made before we got all the webserver blocking methods up but I would guess that 99% of the time they all got 403s.

    When someone gets a 403 does that user or server have to execute a php process to do so?

    When getting the 403 error, about how much bandwidth is supposed to be used per time?

    Please help me get this figured out. AT the moment I had to put them on secureport where there is click to enter page at the router level. It has stopped it dead but generally I want to be able to handle these type of attacks on the server level

Share This Page