For the life of me, I can't find the destination url mentioned on the stats page.

Discussion in 'Feedback/Feature Requests' started by brettdavidsonnz, Nov 23, 2007.

  1. brettdavidsonnz

    brettdavidsonnz Active Member

    It's very useful to know what url is being hit when a ddos (or almost any other issue) occurs.

    Am I missing something really obvious here or do I have to trawl through the vhost's access log?

  2. mistwang

    mistwang LiteSpeed Staff

    Yes, you need to go through the access log for the URL.
  3. brettdavidsonnz

    brettdavidsonnz Active Member


    That counts Litespeed out for me then.

    Service-status with the apache extended-status option enabled allows us to see the url requested - invaluable in trying to determine where possible faults might lie.

    Is this ability going to be in Litespeed anytime soon?
  4. xing

    xing LiteSpeed Staff

    LiteSpeed uses a more aggressive and more efficient way of handling dos attacks. When the IP source hits defined throttle ceilings, the request is stopped at earliest possible detection stage.. When an IP hits throttle, LiteSpeed doesn't waste any resources parsing that request's HTTP header/payload.

    This is the reason why LiteSpeed does not log request destination of clients that are over the throttle limit.

    Imagine a case of 100 simultaneous 1MB HTTP POST attack by a single DoS source. Why bother even parsing any part of the request. If it's over the connection/bandwidth limit, just deny the request.

    Apache gave you the http destination because it just wasted resources parsing a payload that's already a security risk to begin with.
  5. mistwang

    mistwang LiteSpeed Staff

    LiteSpeed mainly deal with DDoS attack automatically based on various throttling limit. No manual check needed under attack. The IPs hitting the limit has been logged in error.log .

    Next release, we will add an option to block bad IPs with firewalls automatically, so the bots not even able to reach the web server port any more.

    We plan to add content based DDoS detection in our advanced Anti-DDoS product, our current anti-DDoS feature is already the most powerful solution implemented inside a web server.
  6. ts77

    ts77 Well-Known Member

    mistwang, while you are at it: how about something like a sliding window? e.g. having 10 requests in 10 seconds or something. I wouldn't want to block someone with more than one request per second as this can happen but if it happens for more than a couple of seconds ... :).
    also I'd like to configure exceptions for the limits e.g. for benchmarks or special ip-ranges (I don't want to stop the google crawler from indexing ... ;)).

    yes, currently I'm doing all this in the php-scripts accessed but would be nice to have it in the webserver itself.
  7. mistwang

    mistwang LiteSpeed Staff

    Request rate limit only slow it down, will not result in being blocked.
    Only when number of connections reach the limit, it will be banned.
    Adding IP/subnet to trusted IP list at server level access control will bypass all per IP throttling.

    So, current litespeed can do pretty much what you need now.
  8. ts77

    ts77 Well-Known Member

    I know, thats really going offtopic now but I just want to continue that.
    Where's the "Trusted IP list"? Do you mean the allowed list in access control?
    Edit: oh, found the explanation in the docs for allowed list in access control
    Also how would I implement my above requirement with raw lsws?
    I want to limit requests to dynamic content to ~20 requests per 10 seconds - mainly for kicking agressive offline-browsing tools.
    Static content can be downloaded with as many requests as wanted (don't have large static content, just some icons/images).
  9. mistwang

    mistwang LiteSpeed Staff

    Just set "Dynamic request per second" to 2, and set "Static rquest per second" to "100". It only slow the client down, will not ban a client because of requesting more than 2 pages of dynamic content at the same time.
  10. ts77

    ts77 Well-Known Member

    yeah but I want them to be blocked if they reach the limit, not just slowed down ;).
  11. mistwang

    mistwang LiteSpeed Staff

    If they consistently doing that, their connection limit will reach, then banned.
  12. anewday

    anewday Moderator

    Seems both aren't in the new versions, have they been dropped from the list?

Share This Page