Anti-DDoS Blocked IP

Discussion in 'Bug Reports' started by anything, Jun 7, 2011.

  1. anything

    anything Well-Known Member


    I've moved some of our webservers to litespeed but I've stumbled upon across two problems already.

    Ive got litespeed behind varnish reverse proxy that is updating the x-forwarded-for header
    litespeed is correctly extracting the x-forwarded-for IP, php reports it correctly
    except this doesnt seem to work when it comes to the ddos protection

    for some reason one of our websites is getting the errors:
    2011-06-07 22:58:38.996 [INFO] [] Status 400: Unexpected request body 330 bytes for request: /api!
    2011-06-07 22:58:39.025 [INFO] [] Status 400: Unexpected request body 329 bytes for request: /api!
    2011-06-07 22:58:39.093 [INFO] [] Status 400: Unexpected request body 326 bytes for request: /api!
    2011-06-07 22:58:39.162 [INFO] [] Status 400: Unexpected request body 330 bytes for request: /api!
    2011-06-07 22:58:39.231 [INFO] [] Status 400: Unexpected request body 330 bytes for request: /api!
    2011-06-07 22:58:39.302 [INFO] [] Status 400: Unexpected request body 329 bytes for request: /api!
    2011-06-07 22:58:39.371 [INFO] [] Status 400: Unexpected request body 329 bytes for request: /api!
    2011-06-07 22:58:39.441 [INFO] [] Status 400: Unexpected request body 326 bytes for request: /api!
    2011-06-07 22:58:39.535 [INFO] [] Status 400: Unexpected request body 327 bytes for request: /api!
    2011-06-07 22:58:39.606 [INFO] [] Status 400: Unexpected request body 330 bytes for request: /api!
    2011-06-07 22:58:39.739 [INFO] [] Status 400: Unexpected request body 329 bytes for request: /api!
    and immediately following I find that the reverse proxy's ip has been blocked instead.

    i've tried changing the client throttling settings. increased the max url and header sizes. added its ip to the access control list with T for trusted. but nothing seems to prevent the error.
    i cannot work out what is causing the error or why. not enough information is provided.

    even worse, is that because of the errors litespeed is assuming a dos attack, and is blocking it. but its blocking the wrong ip. it blocks the reverse proxy instead!
    ive had to bypass varnish specifically for this site, because nobody can get to the site as soon as it errors like this.

    naturally you cannot trust a dos attacker's x-forwarded-for header, so i can understand why the wrong ip might get blocked here
    im also uncomfortable trusting anyone but my own proxy's x-forwarded-for header. this is quite a security problem in my opinion.
    lsws needs to allow input of a list of ip's to trust to extract x-forwarded-for, and ignore it from any other ip.
    this will also mean you could also trust the x-forwarded-for ip for ddos blocking.
    Last edited: Jun 7, 2011
  2. mistwang

    mistwang LiteSpeed Staff

    You should get rid of varnish and use LiteSpeed cache instead, it works equally well if not much better than varnish.
    You cannot expect anti-DDoS to work when you have varnish running in front of LiteSpeed. The reason for blocking reverse proxy IP is that LSWS do not even able to parse the "X-Forwarded-For" header due to the nature of "400 bad request".

    It is not a bad idea to have a list of IP to trust "x-forwarded-for" header. we will do that. however, it wont help in your case.

    And with reverse proxy in front, it always forward the requests from botnet no matter LSWS recognize the correct botnet IP or not, it defeat the purpose of the anti-DDoS feature.
  3. anything

    anything Well-Known Member

    hi mistwang, thanks for your reply.

    I just do not have enough control over litespeed cache for my liking, it has about 5 tickbox options, whereas my varnish config is 900 lines long. to to be fair theres quite a few lines of comments there, but you get my point. im sure the caching feature is quite well suited for a less complex environment.

    If the headers arent corrupt will it extract the x-forwarded-for and block the correct IP? The client connection throttling features are nice, but im afraid of it blocking our proxies instead. Just in case i need to, how do i disable the anti-ddos feature?
    another suggestion, would be to never block ip's that are listed as trusted in the security access control

    I look forward to a feature to restrict the use of x-forwarded-for. thanks for that.

    by chance i just caught the problem by watching tcpdump. the client appears to be using a custom written php script to request the api that does:
    although apache was handing these bad requests fine it appears litespeed is more picky. in varnish ive been able to modify their requests as they came through the proxy and change them to a POST. but i also discovered i needed to change the content-type to application/x-www-form-urlencoded before litespeed would accept them

    so in the end it was a simple corrupt http request, just very difficult to find out what it actually was and why!
    Last edited: Jun 7, 2011
  4. mistwang

    mistwang LiteSpeed Staff

  5. kuffs

    kuffs New Member

    [solved] LiteSpeed blocking the load balancer

    I am also having a similar problem. I am using a proxying load-balancer to balance between two hosts. Some script must be navigating the site with a slightly out-of-spec query

    HOST 1
    2011-07-25 13:58:06.992	INFO	[LOAD_BALANCER_IP:47164-0] Status 400: Bad HTTP protocol string: /?type=l
    2011-07-25 13:58:06.992	NOTICE	[LOAD_BALANCER_IP:47164-0] too many bad requests, block.
    2011-07-25 13:58:06.992	NOTICE	[LOAD_BALANCER_IP] bot detected, close connection!
    HOST 2
    2011-07-25 13:43:58.187	INFO	[LOAD_BALANCER_IP:1293-0] Status 400: Bad request method: 00
    2011-07-25 13:43:58.187	NOTICE	[LOAD_BALANCER_IP:1293-0] too many bad requests, block.
    2011-07-25 13:43:58.187	NOTICE	[LOAD_BALANCER_IP] bot detected, close connection!
    This ends up being a quite effective DoS attack when LiteSpeed ends up blocking the load balancer on both hosts.

    I've already added the load balancer to the trusted IPs at the server level on both hosts.

    (IP addresses sanitized for privacy)

    But it doesn't seem to work. Both hosts will eventually end up getting blocked and that results in a 500 at the site level.

    I've tried setting the ban period to 0 seconds, but it gets flagged as an invalid value and instead runs at 60. I've also tried raising the grace period to an hour and it doesn't seem to have an effect. I've also tried raising the security limits on connections to a million without effect.

    I realize that DDoS protection is one of the main features of your product but it is honestly not one I need. Not only because that feature ends up causing a DoS itself, but because I have other protections in place. Please advise me how to effectively disable the DDoS protection for that host.

    Last edited by a moderator: Jul 27, 2011
  6. webizen

    webizen Well-Known Member

    Latest 4.1.2 add a safeguard to prevent Load Balancer IP from being blocked if its IP is already in trusted list.

    To disable DDoS protection, set 0 for static requests/sec, dynamic request/sec, outbound bw, inbound bw in Per Client Throttling.
  7. kuffs

    kuffs New Member

    Thank you webizen. I had forgotten to mention that we're running 4.1.1-ent. I'll give the upgrade a shot and see how it goes.

    Thanks again :)
  8. anything

    anything Well-Known Member

    is there a more complete 4.1.2 changelog somewhere? would have been nice to know of these changes
  9. IrPr

    IrPr Well-Known Member

    where is the trusted list?
  10. kuffs

    kuffs New Member

    Configuration -> Server -> Security

    Down at the bottom there is field for Access List. Add your trusted IPs or wildcards with a 'T' appended to them, as described in the help text.

    webizen, thanks again for your help. Looks like 4.1.2 fixed our issues with trusted hosts being blocked anyway.
  11. webizen

    webizen Well-Known Member

    Kuffs, thanks for the confirmation.

Share This Page