Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
litespeed_wiki:config:mitigating-ddos-attacks [2019/01/10 15:51] Jackson Zhang [Virtual Host-Level Bandwidth Throttling] |
litespeed_wiki:config:mitigating-ddos-attacks [2019/05/14 20:26] Jackson Zhang [Check concurrent connections] |
||
|---|---|---|---|
| Line 121: | Line 121: | ||
| ===== Troubleshooting ===== | ===== Troubleshooting ===== | ||
| + | ==== Check concurrent connections ==== | ||
| + | To check the number of concurrent TCP connections, run the following command: | ||
| + | netstat -an | grep 80 | grep ESTA | wc | ||
| + | |||
| + | To check concurrent connections sorted by IP, run the following: | ||
| + | netstat -ntu | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | ||
| + | | ||
| + | Please keep in mind that ''netstat -ntu'' will list TCP in TIME_WAIT state, which will inflate the number. For the correct concurrent TCP connections counting method, you should only count TCPs in ''ESTABLISHED'' state. Hence ''grep ESTA'' or ''grep ESTABLISHED'' will be required. | ||
| + | |||
| + | ==== Analysis of IPs from attacked ==== | ||
| + | If you don't necessarily count concurrent connections, just want to analyze which IPs might be attacker, you can check time_waits connection as well. You can run the command without ''grep ESTABLISHED'': | ||
| + | netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | ||
| + | |||
| + | An attacker could make a connection, send requests to expensive URL, wait a little while, then close connection, if server does not abort the process, the backend will be used up soon and keep serving request that has been abandoned. The above command will be useful during the situation. | ||
| ==== Check the Banned IP and Reason ==== | ==== Check the Banned IP and Reason ==== | ||
| If an IP has been banned, but you don't know why, you can check it with SSH. Here is an example of a connection that was banned because it reached the hard limit. | If an IP has been banned, but you don't know why, you can check it with SSH. Here is an example of a connection that was banned because it reached the hard limit. | ||
| Line 169: | Line 183: | ||
| === Set Trusted IP on Virtual Host Level === | === Set Trusted IP on Virtual Host Level === | ||
| - | Since LSWS 5.4RC1, LSWS added virtual host trusted IP support, where you use "Trusted 1.2.3.4, 5.6.7.8" in Virtual Host document root .htaccess to unblock blocked IP and make that IP trusted for that vhost. | + | Since LSWS 5.4RC1, LSWS added virtual host trusted IP support, where you use ''Trusted 1.2.3.4, 5.6.7.8'' in Virtual Host document root .htaccess to unblock blocked IP and make that IP trusted for that vhost. |
| ==== Drop or Deny ==== | ==== Drop or Deny ==== | ||
| What if ModSecurity does a drop (TCP FIN) rather than deny for a trusted IP? The trusted list only has an effect on the "drop" action, but not on the "deny" action. A trusted IP won't be added to blacklist, but trust status has no effect on other actions. | What if ModSecurity does a drop (TCP FIN) rather than deny for a trusted IP? The trusted list only has an effect on the "drop" action, but not on the "deny" action. A trusted IP won't be added to blacklist, but trust status has no effect on other actions. | ||