IP blocking not being triggered

MentaL

MentaL

Well-Known Member
#1
#1
I'm sending over 1k connections to my web server to check the configuration and I notice that even with the same ip with a 1k connections the web server will not for the life of god block that ip.

SPECIAL.IP 0 TH 28.8 191/191 0/-2 forum.domain.com - "GET / HTTP/1.1"
SPECIAL.IP 0 TH 28.0 191/191 0/-2 forum.domain.com - "GET / HTTP/1.1"
SPECIAL.IP 0 TH 28.0 191/191 0/-2 forum.domain.com - "GET / HTTP/1.1"
SPECIAL.IP 0 TH 28.0 191/191 0/-2 forum.domain.com - "GET / HTTP/1.1"
SPECIAL.IP 0 TH 28.0 191/191 0/-2 forum.domain.com - "GET / HTTP/1.1"
SPECIAL.IP 0 TH 27.9 191/191 0/-2 forum.domain.com - "GET / HTTP/1.1"
SPECIAL.IP 0 TH 27.9 191/191 0/-2 forum.domain.com - "GET / HTTP/1.1"
SPECIAL.IP 0 TH 27.8 191/191 0/-2 forum.domain.com - "GET / HTTP/1.1"
SPECIAL.IP 0 TH 23.8 213/213 0/-2 forum.domain.com - "GET / HTTP/1.1"
SPECIAL.IP 0 TH 22.9 213/213 0/-2 forum.domain.com - "GET / HTTP/1.1"
SPECIAL.IP 0 TH 21.0 213/213 0/-2 forum.domain.com - "GET / HTTP/1.1"
SPECIAL.IP 0 TH 20.2 215/215 0/-2 forum.domain.com - "GET / HTTP/1.1"
SPECIAL.IP 0 TH 18.8 216/216 0/-2 forum.domain.com - "GET / HTTP/1.1"
SPECIAL.IP 0 TH 18.6 216/216 0/-2 forum.domain.com - "GET / HTTP/1.1"
SPECIAL.IP 0 TH 15.9 216/216 0/-2 forum.domain.com - "GET / HTTP/1.1"
SPECIAL.IP 0 TH 15.1 216/216 0/-2 forum.domain.com - "GET / HTTP/1.1"
SPECIAL.IP 0 TH 15.1 216/216 0/-2 forum.domain.com - "GET / HTTP/1.1"
SPECIAL.IP 0 TH 14.9 210/210 0/-2 forum.domain.com - "GET / HTTP/1.1"
SPECIAL.IP 0 TH 14.9 203/203 0/-2 forum.domain.com - "GET / HTTP/1.1"
SPECIAL.IP 0 TH 13.8 241/241 0/-2 forum.domain.com - "GET / HTTP/1.1"
SPECIAL.IP 0 TH 13.2 213/213 0/-2 forum.domain.com - "GET / HTTP/1.1"
SPECIAL.IP 0 TH 13.1 216/216 0/-2 forum.domain.com - "GET / HTTP/1.1"
Click to expand...
Configuration;



Cannot pinpoint as to why it is not triggering.



Hope me find my silly oversight.

Cheers.
 
M

mistwang

LiteSpeed Staff
#4
#4
Are you using a front-end proxy? Since all traffic going through the proxy server, LSWS has no idea which IP the request coming from until the whole request header has been received as the real client IP is forwarded through request header.
 
MentaL

MentaL

Well-Known Member
#5
#5
yes we are but this issue never happened before plus all source ips are showing through the admin panel (attacker ip not proxy) . what do you propose?
 
M

mistwang

LiteSpeed Staff
#6
#6
Unfortunately, it is the way it works. client IP are received through x-forwarded-for request header.
LSWS cannot block proxy IP, so all requests forwarded from proxy server has to be accepted. unless there is a way to notify the proxy server to block those IPs at proxy server, no way to block it at backend.
 
MentaL

MentaL

Well-Known Member
#7
#7
real strange because the source ip not the proxy is being viewed (maybe a direct connection) and yet litespeed use to block these attacks and no longer do.

/Update

Will do a test sending traffic to source ip to simulate a DDOS attack and i'll see if its filtering correctly via litespeed.

/Update

Filters correct with direct ip but not with incapsula in the front end, any suggestions?
 
Last edited:
N

NiteWave

Administrator
#12
#12
my point is: set it to No temporarily, do tests again to see if the "weird" issue will be gone.

your question looks clear to me now. actually already answered in previous replies, in above #4 / #6 reply.

in short, in your case:

attacking IPs --> proxy --> lsws server

for this set up, lsws server can't block "attacking IPs" directly, only can display these IPs if "Use Client IP in Header" set to "Yes"

attacking IPs -> lsws server

for this set up, lsws server can block these IPs.

In other words, lsws server can only block those directly connected IPs.
 
M

mistwang

LiteSpeed Staff
#14
#14
Please try the latest 5.0.13, which should block attack passed by front-end proxy. Right now 403 error returns and IP added to black list.

/usr/local/lsws/admin/misc/lsup.sh -f -v 5.0.13
 
You must log in or register to reply here.
Top