Ddos

#1
hello
we use litespeed 4.1.1 Ent on our centos 5.4 (cpanel) server.
today this server's load that i monitor , Suddenly got heavy (e.g from 0.55 to 25.14) and all services run away from access.
also it has csf & lfd , mod_deflate , mod_security.
when load increase, i check network I/O with iftop but it show RX & TX lower than 500kbps(b=byte).

i tell this problem to datacenter and they tell we this might a ddos attack.

now how can i find attacker ip or target of this attack?:confused:
 
#3
i config litespeed with this value:
Static Requests/second - 10
Dynamic Requests/second - 2
Outbound Bandwidth (bytes/sec) - 0
Inbound Bandwidth (bytes/sec) - 0
Connection Soft Limit - 20
Connection Hard Limit - 30
Grace Period (sec) - 30
Banned Period (sec) - 3600

Max Connections : 900
Connection Timeout (secs) : 15
Max Keep-Alive Requests : 90
Smart Keep-Alive : Yes
Keep-Alive Timeout (secs) : 3

and but now that problem didn't solve
 

webizen

Well-Known Member
#4
Do you see any IP listed in "Anti-DDoS Blocked IP" of real-time stats page of LSWS Admin Console? if none or not many, then your high system load could be caused by something else instead of excessive-established-connection kind of ddos attack.

Did you run 'top' from command line and see which process(es) consume the most resources (cpu cycles, i/o wait, etc) which helps identify the cause of high system load?
 
#5
Do you see any IP listed in "Anti-DDoS Blocked IP" of real-time stats page of LSWS Admin Console? if none or not many, then your high system load could be caused by something else instead of excessive-established-connection kind of ddos attack.

Did you run 'top' from command line and see which process(es) consume the most resources (cpu cycles, i/o wait, etc) which helps identify the cause of high system load?
thank you for replay.
when load increase, i run "Top" and "aTop" and "hTop" and:
"ps -eo pid,user,%cpu,%mem,etime,args"

but all of this tools show that load is heavy and lsphp5 use load then i search user of pid with:
"ps -ef | grep [PID]"
but show root in user field.

what can i do?
 
Top