DDoS Question

Discussion in 'General' started by -KaaL-, Jun 25, 2009.

  1. -KaaL-

    -KaaL- Active Member


    I am planning to buy LiteSpeed Enterprise for my server.
    But i would just like to make sure it would be worth the price.

    I am currently using the Trial Version ..
    Linux CentOS 32bit with DA

    I just want to get the right setting..
    I have followed most of the threads.. including http://www.litespeedtech.com/how-tos.html#qa_dos

    But just didnt know how to mitigate attacks from different IPs.

    I read the last point there about General Context. But i didnt understand that part..

    I have posted an image of a log of an attack i experience..


    Thank you,
    Last edited: Jun 30, 2009
  2. mistwang

    mistwang LiteSpeed Staff

    Just limit the number of connections from each IP, LSWS will block IP that abuse the server automatically, no need to do anything extra unless you are hitting by a botnet with hundreds or thousands zombies.
  3. -KaaL-

    -KaaL- Active Member

    I havent posted the whole log.
    Its well over UNIQUE 500 bots.
    And this log has some consecutive IPs
    I expect attacks with all unique IPs like a pack of 500 attacking one after the other..
  4. mistwang

    mistwang LiteSpeed Staff

    It does not matter, as long as the bot acts aggressively like the status page you posted, all of them will be blocked in short time once hit the connection limits.
  5. -KaaL-

    -KaaL- Active Member

    Static Requests/second - 25
    Dynamic Requests/second - 10
    Outbound Bandwidth (bytes/sec) - 0
    Inbound Bandwidth (bytes/sec) - 0
    Connection Soft Limit - 400
    Connection Hard Limit - 500
    Grace Period (sec) - 15
    Banned Period (sec) - 300

    Max Connections : 500
    Connection Timeout (secs) : 60
    Max Keep-Alive Requests : 90
    Smart Keep-Alive : Yes
    Keep-Alive Timeout (secs) : 3

    Are these settings fine ?
  6. anewday

    anewday Moderator

    How often do you get hit with a ddos? Your settings are not aggressive. Start with these:

    Static Requests/second - 10
    Dynamic Requests/second - 2
    Outbound Bandwidth (bytes/sec) - 0
    Inbound Bandwidth (bytes/sec) - 0
    Connection Soft Limit - 20
    Connection Hard Limit - 30
    Grace Period (sec) - 30
    Banned Period (sec) - 3600

    Max Connections : 900
    Connection Timeout (secs) : 15
    Max Keep-Alive Requests : 90
    Smart Keep-Alive : Yes
    Keep-Alive Timeout (secs) : 3
    Last edited: Jun 25, 2009
  7. -KaaL-

    -KaaL- Active Member

    DDoS attacks are very frequent.
    Got a lot of haters lol..

    Ok I have changed to those settings.
    Any other settings that would be required ?
    Last edited: Jun 25, 2009
  8. anewday

    anewday Moderator

    I adjusted the settings above again, should be able to mitigate very powerful attacks. :D Keep us posted on how it goes.
  9. -KaaL-

    -KaaL- Active Member

    well... some scripts that use AJAX wont load fast..
    can you put some exclusion rules to some scripts for a particular domain or something..
  10. felosi

    felosi Well-Known Member

    Well what you have here is a classic get attack. I suppose the site is a php/mysql site? The goal of such attack is resource exhaustion, they can be difficult to mitigate but it can be done.

    What I first recommend is csf firewall with connection tracking features on, you wanna make a ct_limit of about 25-60 depending on how many connections most legit users make. Then make the ban permanent - ct_perm to 1. Then turn on the mod_security failure blocking.

    After you configure all that then include a good mod_security ruleset like the one from gotroot.com. I actually just made an article on my blog with a trimmed down ruleset - http://nix101.com/2009/06/25/light-mod_security-ruleset/
    This will block bad and empty user agents.

    Then set your litespeed settings as suggested above. I usually keep the connection limits to 5 soft, 15 hard. And even lower if needed but be careful legit users may start getting banned. It also has a lot to do with the sites as well. If they have a lot of images and other things to load it will have more requests per second as well as connections. Optimizing your site will help as well.

    Then if all else fails, tail your access_log and see if you see a pattern with the user_agent like if they are all using the same user_agent. Get that and google it to see if it is a legit one, if not then just edit one of the mod_security rules for user_agents and put that one in there. Or use iptables string match to get it.

    Then if all else fails try a click to enter page, a simple html page with enter link, If the attacker modifies their attack to go directly to index.php or whatever then you will be fighting a losing war and it is time to think about getting some ddos protection somewhere that has one of the click or captcha pages at the router.

    Hope all this helps, good luck
  11. anewday

    anewday Moderator

    Just a word of caution...the user agent can easily be spoofed, many botnets do this.
  12. grniyce

    grniyce Well-Known Member

    Sasha, good mod_security rules will help with a large percentage of what you are getting hit with, and reduce the load on your server quite a bit. Due to the size of the forums you're running you'd be better with:

    Static req/sec: 15
    Dynamic req/sec: 5
  13. -KaaL-

    -KaaL- Active Member

    Thank you all for your responses. Ty Ant.

    I have installed ClamAV and ModClamAV on my DA

    Also installed Mod Security2 and have put the rules as given by Ant on the other thread.


    When i restart httpd i get this error...
    LiteSpeed Administrator i get these in Error Log..

    2009-06-30 00:16:25.543	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: XML:/*
    2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: RESPONSE_BODY
    2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: REQUEST_PROTOCOL
    2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: RESPONSE_HEADERS:Content-Encoding
    2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: GLOBAL:alerted_960903_compression
    2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: REQUEST_PROTOCOL
    2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: RESPONSE_STATUS
    2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: WEBSERVER_ERROR_LOG
    2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: Transfer-Encoding)/'
    2009-06-30 00:16:25.546	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: REQBODY_PROCESSOR_ERROR
    2009-06-30 00:16:25.546	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: REQUEST_URI_RAW
    Last edited: Jun 30, 2009
  14. grniyce

    grniyce Well-Known Member

    I get some of the same errors, and I asked about them in an email to LS Support, and they responded that they don't mean anything, because if you wait a few minutes and refresh the page the errors are all gone. They are mod_security alerts, so technically you could go through the mod_security log and find out what it triggering it, but I never have and everything works fine.
    Last edited: Jun 30, 2009
  15. grniyce

    grniyce Well-Known Member

    Another good tool to install and configure is MailScanner. You can protect yourself from the HTML:Iframe injections, and it works perfectly with ClamAV. Just configure everything, start it, and it scans incoming and outgoing mail for spam to protect your server from rogue spam scripts, as well as from people trying to use your server as a mail bomber / spammer / etc.


    Make sure you have all the php.ini disable_functions set in the default /usr/local/lib/php.ini
    Make sure you have safe mode cgi so cgi scripts CANNOT override the default php.ini permissions (as that is what the latest crackers are using to root boxes).

    I have SuPHP, Suhosin, Safe Mode, Safe CGI Mode, mod_perl, mod_security, mod_bandwidth, and when setting up packages choose for users to NOT have cgi access unless you know that person and can trust them. It's what puts you at risk for more sql injections and so forth.

    I learned the hard way. Then once all that is recompiled, build matching php in LSWS.
    Last edited: Jun 30, 2009
  16. anewday

    anewday Moderator

    How to do this?
  17. grniyce

    grniyce Well-Known Member

    I don't give anyone CGI access unless they request it for special reasons.

    Note: A common misbelief is that VPS already have CGI safe-moded, but in reality it depends upon the actual setup they have. Most can be circumvented and end up rooting the entire box, hence wiping out your VPS and the rest of the raid storage; thus putting you at financial responsibility for the damage caused if it happens. You can Google 'safe mode cgi' and see the supply of workarounds.

    Now as far as the protection part, well I can only offer enough knowledge to show what I did, and I use WHM/cPanel. So here are my steps I took, which I assume should exist in other Admin Panels.

    Click Basic cPanel/WHM Setup and scroll to the CGI Access option and put a n there instead of a y.


    Now whenever you create any new packages the CGI Access option will be unselected automatically; however, if you have already created some packages, you should edit each package and unselect CGI Access.


    Now when I built Apache I chose these options by doing the exhaustive list of options and selecting all of the below. You will see the option for Safe PHP CGI.


    I have also attached my default build to this post, as you can use that too, but be prepared to make some Suhosin edits in the php.ini if you run certain content. Usually just having this pasted at the bottom of the php.ini once everything is built will solve any issues associated with running Suhosin in environments such as bulletin boards.

    suhosin.post.max_vars = 2048
    suhosin.request.max_vars = 10000
    suhosin.cookie.encrypt = Off
    suhosin.session.encrypt = Off
    suhosin.log.sapi = 511
    suhosin.get.max_value_length = 1024extension="ixed.5.2.lin"

    Attached Files:

    Last edited: Jul 1, 2009
  18. grniyce

    grniyce Well-Known Member

    Sasha a few other things you should do are these:

    In your /usr/local/lib/php.ini put these where it says disable_functions:

    disable_functions = "fpassthru, crack_check, crack_closedict, crack_getlastmessage, crack_opendict, psockopen, php_ini_scanned_files, hell-exec, system, dl, ctrl_dir, phpini, tmp, safe_mode, systemroot, server_software, get_current_user, HTTP_HOST, php_uname, ini_restore, popen, pclose, exec, shell_exec, suExec, passthru, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, pfsockopen, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix_getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_setegid, posix_seteuid, posix_setgid, posix_times, posix_ttyname, posix_uname, posix_access, posix_get_last_error, posix_mknod, posix_strerror, posix_initgroups, posix_setsidposix_setuid, show_source, apache_setenv, define_syslog_variables, eval, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, inject_code, openlog, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, syslog, xmlrpc_entity_decode, ini_set"
    now in /etc/my.cnf (this is just mine, which is on a dual Xeon 3.0ghz 4gb ram) Raghav or whomever may need to tweak yours for your specific hardware, but even applying this if you have nothing in your my.cnf will help reduce load averages and (d)dos effects

    local-infile = 0
    max_connections = 800
    key_buffer = 64M
    myisam_sort_buffer_size = 64M
    join_buffer_size = 1M
    read_buffer_size = 2M
    sort_buffer_size = 2M
    read_rnd_buffer_size = 2M
    table_cache = 1024
    record_buffer = 1M
    thread_cache_size = 128
    wait_timeout = 30
    connect_timeout = 10
    interactive_timeout = 10
    tmp_table_size = 64M
    max_heap_table_size = 64M
    max_allowed_packet = 16M
    max_connect_errors = 10
    query_cache_limit = 1M
    query_cache_size = 64M
    query_cache_type = 1
    thread_concurrency = 4
    default-storage-engine = MyISAM
    open_files_limit = 8192
    max_allowed_packet = 100M
    key_buffer = 64M
    sort_buffer = 64M
    read_buffer = 16M
    write_buffer = 16M
    Also, in LSWS Admin / Configuration change the Keep Alive requests to like 100 and make the timeout 3 seconds.

    As for CSF, after many many attempts to get the configuration set appropriately I found these settings work the best:

    Config Server CSF Settings Word Document
    Last edited: Jul 1, 2009
  19. Cyber-DL

    Cyber-DL Active Member

    wow KaaL , amazing log , i'm using DA , how can i access this log for my server ?!
  20. -KaaL-

    -KaaL- Active Member

Share This Page