Wow, Litespeed is a bad boy against ddos

[felosi]

I finally got to see litespeed battle proven for my needs. My problem lately has been these low bandwidth syn and get floods that get past ddos firewalls and murder apache with less then a 100 or so ips all connecting multiple times. Which if you run apache you will know an attack like this will cripple a server.

So I havent been having much ddos on my current customers because either the ddoser gives up after a while or I gather the ips and give them to botnet hunters who find them and shut them down.

I got this new customer, a russian guy being extorted, So I figured this was a good time to try it out.

Well as soon as dns resolves the crap storm begines, such low bandwdith didnt even trip ddos firewall but was thousands of ips all on apache. I set csf connection tracking low and started letting them get banned. Within the day I checked the server frequently, the load never got over .48 all day which it usually was on 1.5 and higher under normal operation under apache.

Within the day the server banned over 3000 bots twice, had cleared the banlist once as I thought the iptables would trip with that many bans.

Some bandwidth was used but the target site has been up and fast all day under massive attack, ended up with firewall dropping banned ips for a while, steady 2-3 mbit incoming but cant complain.

Litespeed handled this very well and I am gonna put this in all my servers, its perfect for my type of hosting. Will be buying licences for all, as soon as trial runs out of course

Just thought Id give some feedback on how It handles attacks, I think it does so insanely well.

 

[mistwang]

Thank you for the sharing.
Properly tuned LiteSpeed can deny DDoS attacks very well. That's just one of many useful features in LiteSpeed.

Please help us spreading the words if you don't mind.

 

[felosi]

well, doesnt require much tweaking. What Im amazed about is how it can handle all those connections in only two processes, not make the load go high, and every site still be as fast as usual.

Im suprised more people havent heard about it. I been telling people how amazed I am. But even with page load benchmarks the best its still amazing how it can handle all those requests and traffic and stay at such a low load.

 

[hichew]

by the way.. what's the best way to check if your server got ddos?

my top load average is always above 8.

top - 02:16:12 up 2 days, 3:41, 1 user, load average: 8.70, 7.60, 7.64
Tasks: 181 total, 29 running, 152 sleeping, 0 stopped, 0 zombie
Cpu0 : 42.7% us, 4.9% sy, 0.0% ni, 37.1% id, 0.0% wa, 0.3% hi, 15.0% si
Cpu1 : 47.2% us, 3.9% sy, 0.0% ni, 48.2% id, 0.0% wa, 0.0% hi, 0.6% si
Cpu2 : 53.6% us, 1.9% sy, 0.0% ni, 44.2% id, 0.0% wa, 0.0% hi, 0.3% si
Cpu3 : 62.2% us, 3.9% sy, 0.0% ni, 33.6% id, 0.0% wa, 0.0% hi, 0.3% si
Cpu4 : 48.7% us, 4.6% sy, 0.0% ni, 46.1% id, 0.0% wa, 0.0% hi, 0.7% si
Cpu5 : 49.0% us, 1.9% sy, 0.0% ni, 48.7% id, 0.0% wa, 0.0% hi, 0.3% si
Cpu6 : 49.5% us, 3.6% sy, 0.0% ni, 46.0% id, 0.0% wa, 0.0% hi, 1.0% si
Cpu7 : 52.8% us, 1.9% sy, 0.0% ni, 44.7% id, 0.0% wa, 0.0% hi, 0.6% si
Mem: 4040896k total, 2974256k used, 1066640k free, 59896k buffers
Swap: 2031608k total, 144k used, 2031464k free, 1624116k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
15815 kaskus 16 0 57512 30m 19m R 25 0.8 0:06.85 lsphp
15236 kaskus 16 0 54452 31m 23m R 19 0.8 0:28.51 lsphp
15396 kaskus 16 0 56544 34m 23m R 18 0.9 0:19.19 lsphp
13937 kaskus 16 0 57796 40m 28m R 17 1.0 1:10.25 lsphp
14341 kaskus 16 0 56072 35m 25m R 16 0.9 1:05.91 lsphp
15471 kaskus 16 0 54956 31m 22m R 16 0.8 0:19.42 lsphp
15127 kaskus 16 0 56408 36m 26m R 16 0.9 0:31.67 lsphp
15543 kaskus 15 0 56060 31m 21m S 16 0.8 0:13.16 lsphp
14309 kaskus 16 0 56076 37m 26m R 14 0.9 0:52.43 lsphp

 

[felosi]

see whats up with that user and their process.
Best way to see if your server is getting ddos is:

netstat -ntu | grep SYN_RECV - to see how many incoming syns you have

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
to show who is connected and how many times.

Also the live reports in litespeed can show you exactly whats going on and the who and where.

Id see whats up with that user you have there, they are either getting some ddos or vampire attack or just a simple http get flood.
The problems with the vamp and http attacks even with litespeed is that it uses php and sql each time a bot hits the page. But with php suexec it can prevent that from taking down the entire server

 

[mistwang]

To check if you get DDoS, you should check the total connections in use from the real time statistics page. if it is higher than normal, you may get attacked.

Your server has 8-Cores, so load around 8 is the perfect value which is equivalent to load around 1 on a uni-processor server.

 

[hichew]

wow this litespeed is really good against ddos.
yesterday I got ddos and pushing bandwidth up to 80mbps (mrtg attached)

and guess what.. the site is still accessible.. and server load hovering at 8-9

 

[felosi]

yeah it will handle as much http as you can pipe at it.
There is one thing though running php as nobody is that they can use those vampire attacks or the ones that attack forum functions in order to kill sql. With nobody your load will may real high and php will lag a lil, it can eat up the max childs. With suphp it will kill the affected users php processes for whatever you have the max set as and not spill over into affecting other users

Glad you got to field test it, now maybe people can see what Im always talking about. Its a badd ass for sure.

 

[deJager]

So, what's the best settings in the webconsole to mitigate such attacks?

 

[dk.mmmm]

DDOS is not only from 1 IP.

It is called BOT Net. A lot people in Vietnam use it to attack website. DDOS will come with over 1000 IPs, and My website got attacked. LiteSpeed can not protect me perfect.

But I so happy because Litespeed help me know what domain are getting attack, and then I just need setup some tool to protect it.