lslb - http flood - ddos protection

[Clockwork]

Hi,

it seems lslb is somewhat different than lsws in flood handling:

["default"] 123.123.123.123 - - [06/Oct/2009:10:02:39 +0200] "GET /images/logo.gif HTTP/1.1" 503 401 "-" "-"
["default"] 123.123.123.123 - - [06/Oct/2009:10:02:39 +0200] "GET /images/logo.gif HTTP/1.1" 503 401 "-" "-"
["default"] 123.123.123.123 - - [06/Oct/2009:10:02:39 +0200] "GET /images/logo.gif HTTP/1.1" 503 401 "-" "-"
["default"] 123.123.123.123 - - [06/Oct/2009:10:02:39 +0200] "GET /images/logo.gif HTTP/1.1" 503 401 "-" "-"
["default"] 123.123.123.123 - - [06/Oct/2009:10:02:39 +0200] "GET /images/logo.gif HTTP/1.1" 503 401 "-" "-"
["default"] 123.123.123.123 - - [06/Oct/2009:10:02:39 +0200] "GET /images/logo.gif HTTP/1.1" 503 401 "-" "-"
["default"] 123.123.123.123 - - [06/Oct/2009:10:02:39 +0200] "GET /images/logo.gif HTTP/1.1" 503 401 "-" "-"
["default"] 123.123.123.123 - - [06/Oct/2009:10:02:39 +0200] "GET /images/logo.gif HTTP/1.1" 503 401 "-" "-"
["default"] 123.123.123.123 - - [06/Oct/2009:10:02:39 +0200] "GET /images/logo.gif HTTP/1.1" 503 401 "-" "-"
["default"] 123.123.123.123 - - [06/Oct/2009:10:02:39 +0200] "GET /images/logo.gif HTTP/1.1" 503 401 "-" "-"
["default"] 123.123.123.123 - - [06/Oct/2009:10:02:39 +0200] "GET /images/logo.gif HTTP/1.1" 503 401 "-" "-"
["default"] 123.123.123.123 - - [06/Oct/2009:10:02:39 +0200] "GET /images/logo.gif HTTP/1.1" 503 401 "-" "-"

it comes from different IP's, I've just changed those to 123.123.123.123.

lslb just passes this attack to the backend servers, is there any way to configure lslb to detect and block attacks like this?

I've already set "Per Client Dyn Reqs/sec" to 2 in the virtual hosts tab, but this doesn't seem to affect static files.

 

[mistwang]

For LB, all the requests are dynamic as it needs to forward the request to backend server.

You need to set "Connection Soft Limit" "Connection Hard Limit" to block aggressive IP .

 

[soyturk]

that's true. thank you mistwang.