How can I mitigate Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks?

LiteSpeed Web Server is capable of reducing and even eliminating the impact of HTTP-level DoS and DDoS attacks. The following configurations will help against attacks:

1. Under the Configuration > Server > Tuning configurations:

  • Try to set Max Request URL Length, Max Request Header Size, Max Request Body Size, Max Dyanmic Response Header Size, and Max Dynamic Response Body Size to values that go just above what you need to run your sites. Getting these settings trimmed down will help identify attackers and reduce the amount of memory used when you do get attacked.
  • Set Connection Timeout to around 30 seconds and Keep-Alive Timeout to around 15 seconds or less. This will help close dead connections as soon as possible and make connections available to other clients.

2. Under the Configuration > Server > Security configurations:

  • Block IPs that abuse your web server by listing them in the Denied List in the Access Control table.
  • Use Connection Soft Limit, Grace Period, and Banned Period to spot and mitigate abusers. An IP address that stays over the soft limit for the length of the grace period will be banned for a time set in Banned Period. This is a good way to pick out IPs that should be put in the Denied List.
  • Use Connection Hard Limit to control how many concurrent connections are allowed from one IP address. If an IP reaches the hard connection limit, the web server will immediately close newly accepted connections from that IP address and move on to pending connections from different IP addresses. Nowadays, almost all web browsers support keep-alive (persistant) connections (multiple requests pipelined through one connection), so the number of connections required is very small. Essentially, one connection should be enough, but some web browsers try to establish additional connections to speed up downloading. Allowing 4 to 10 connections from one IP is recommended. Less than that will probably affect normal web services.
  • Set the Outbound Bandwidth limit. This will allow you to serve more unique clients and stop your limited network bandwidth from getting used up by a couple of clients with fast network connections.

3. If your server is flooded by hundreds of requests from different IPs but to the same URL, you can create a context (Configuration > Virtual Hosts > View/Edit > Context > Add > Type “Static”) to block access to that URL. Set Accesible to “No” and the context URI to match or include the URL being attacked. For example, if the server is pounded with requests for “/foo/bar.html”, then adding a context with Accesible set to “No” and the URI set to “/foo/bar.html” will block all those requests. You can also set the context URI to “/foo/” to block requests to all URLs that start with “/foo/”.

litespeed_wiki/how_can_i_mitigate_ddos_attacks.txt · Last modified: 2013/05/22 16:30 (external edit)