DDoS Question

Discussion in 'General' started by QuantumNet, Jun 30, 2010.

  1. QuantumNet

    QuantumNet Well-Known Member

    One of the things I noticed in the attack yesterday was that they used hundreds of IP addresses to all attack the same URL.

    If I blocked the URL they just changed the botnet to target a different URL.

    CSF Firewall and Litespeed Anti-DoS were not picking this up because of so many different IP addresses.


    But what I noticed is that the same IP address would come around and tag it again with say 5 minute intervals.

    I wonder would there be a way to detect this type of attack since the same IP keeps hitting the same url within a specific amount of time, without creating false positives to say things like RSS feed readers?

    Would this be something litespeed could defend against?
     
  2. QuantumNet

    QuantumNet Well-Known Member

    During apache bench here is top:

     
  3. QuantumNet

    QuantumNet Well-Known Member

    And here is mytop
     
  4. mistwang

    mistwang LiteSpeed Staff

    Looks like a MySQL performance issue, as it using 99% CPU, it is not something related to LSWS at all. A few tips to trouble shot this is to check

    mysqladmin processlist
    mysqladmin extend-status

    find out the SQL takes long time, add proper table index if need.

    Our advanced anti-DDoS setup (paid service) can utilize Fail2ban to block attacking IP automatically based on LiteSpeed error log files. You can do it yourself.
     

Share This Page