Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revision Both sides next revision
litespeed_wiki:config:mitigating-ddos-attacks [2019/05/14 20:26]
Jackson Zhang [Check concurrent connections]
litespeed_wiki:config:mitigating-ddos-attacks [2019/06/05 13:42]
Jackson Zhang [Mitigating DoS and DDoS Attacks]
Line 3: Line 3:
 LiteSpeed Web Server provides several features aimed at reducing and even eliminating the impact of HTTP-level Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. You can either use LSWS built-in features or third party ModSecurity rules such as Owasp, Atomicorp, Comodo and CloudLinux Imunify360. The following LSWS built-in configuration settings will help mitigate such attacks. LiteSpeed Web Server provides several features aimed at reducing and even eliminating the impact of HTTP-level Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. You can either use LSWS built-in features or third party ModSecurity rules such as Owasp, Atomicorp, Comodo and CloudLinux Imunify360. The following LSWS built-in configuration settings will help mitigate such attacks.
  
 +===== Enable reCAPTCHA feature =====
 +One of the most effective methods to mitigate Dos and DDoS attacks is to enable reCAPTCHA feature. reCAPTCHA is a free service from Google that helps protect websites from spam and abuse. A “CAPTCHA” is a turing test to tell human and bots apart. It is easy for humans to solve, but hard for “bots” and other malicious software to figure out. reCAPTCHA feature has been supported from LSWS 5.4RC1 and the above. Please follow [[litespeed_wiki:​config:​recaptcha|this wiki]] to enable it.
 ===== Enable LiteSpeed Cache ===== ===== Enable LiteSpeed Cache =====
 Enabling LiteSpeed Cache will increase the server'​s capacity to handle heavy traffic. Enabling LiteSpeed Cache will increase the server'​s capacity to handle heavy traffic.
Line 130: Line 132:
 Please keep in mind that ''​netstat -ntu''​ will list TCP in TIME_WAIT state, which will inflate the number. For the correct concurrent TCP connections counting method, you should only count TCPs in ''​ESTABLISHED''​ state. Hence ''​grep ESTA''​ or ''​grep ESTABLISHED''​ will be required. Please keep in mind that ''​netstat -ntu''​ will list TCP in TIME_WAIT state, which will inflate the number. For the correct concurrent TCP connections counting method, you should only count TCPs in ''​ESTABLISHED''​ state. Hence ''​grep ESTA''​ or ''​grep ESTABLISHED''​ will be required.
  
-==== Analysis of IPs from attacked ​====  +==== Analysis of IPs from Attacker ​==== 
-If you don't necessarily count concurrent connections,​ just want to analyze which IPs might be attacker, you can check time_waits connection as well. You can run the command without ''​grep ESTABLISHED'':​ +
-   ​netstat -ntu | awk '​{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr+
  
-An attacker could make a connection, send requests to expensive URL, wait a little while, then close connection, if server does not abort the process, the backend will be used up soon and keep serving ​request ​that has been abandoned. The above command will be useful during ​the situation. ​+Bad IP's can make quick connections,​ and you end up with many ''​time_waits''​ which you won't see when just looking at established. 
 + 
 +If you don't necessarily count concurrent connections,​ and just want to analyze which IPs might be attackers, you can include ''​time_waits''​ connections. Run the command without ''​grep ESTABLISHED'',​ which gives you the ability to see what IP's just connected and dropped and may need to be blocked: 
 + 
 +   ​netstat -ntu | awk '​{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | awk '$1 >= 5 {print $0}' 
 + 
 +An attacker could make a connection, send requests to an expensive URL, wait a little while, ​and then close the connection. If the server does not abort the process, the backend will be used up soon, as it will keep serving ​requests ​that have been abandoned. The above command will be useful during ​such a situation. ​
 ==== Check the Banned IP and Reason ==== ==== Check the Banned IP and Reason ====
 If an IP has been banned, but you don't know why, you can check it with SSH. Here is an example of a connection that was banned because it reached the hard limit. If an IP has been banned, but you don't know why, you can check it with SSH. Here is an example of a connection that was banned because it reached the hard limit.
  • Admin
  • Last modified: 2019/06/13 16:21
  • by Lisa Clarke