DDoS Question

Discussion in 'General' started by QuantumNet, Jun 30, 2010.

  1. QuantumNet

    QuantumNet New Member

    One of the things I noticed in the attack yesterday was that they used hundreds of IP addresses to all attack the same URL.

    If I blocked the URL they just changed the botnet to target a different URL.

    CSF Firewall and Litespeed Anti-DoS were not picking this up because of so many different IP addresses.

    But what I noticed is that the same IP address would come around and tag it again with say 5 minute intervals.

    I wonder would there be a way to detect this type of attack since the same IP keeps hitting the same url within a specific amount of time, without creating false positives to say things like RSS feed readers?

    Would this be something litespeed could defend against?
  2. QuantumNet

    QuantumNet New Member

    During apache bench here is top:

  3. QuantumNet

    QuantumNet New Member

    And here is mytop
  4. mistwang

    mistwang LiteSpeed Staff

    Looks like a MySQL performance issue, as it using 99% CPU, it is not something related to LSWS at all. A few tips to trouble shot this is to check

    mysqladmin processlist
    mysqladmin extend-status

    find out the SQL takes long time, add proper table index if need.

    Our advanced anti-DDoS setup (paid service) can utilize Fail2ban to block attacking IP automatically based on LiteSpeed error log files. You can do it yourself.

Share This Page