Anti-DDOS Block feature cannot detect this kind of request

[redstrike]

Hi LiteSpeed,

My site is in heavy load condition now. But the anti-ddos feature does not work efficiently.

The attachment is my log file. It seem that LiteSpeed cannot detect the IP 113.163.80.152 as the ddos IP.

LiteSpeed is a great webserver, i hope you can improve the Anti-DDOS Block feature. I suggest the feature to add the denied IPs without tell us to restart LiteSpeed.

Thanks.

 

[NiteWave]

what's your anti-ddos settings?

 

[redstrike]

Hello NiteWave,

You mean settings of Per Client Throttling ?

Static Requests/second:		10
Dynamic Requests/second:		5
Outbound Bandwidth (bytes/sec):	256K
Inbound Bandwidth (bytes/sec):	0
Connection Soft Limit:		5
Connection Hard Limit:		15
Grace Period (sec):		15
Banned Period (sec):		900

 

[webizen]

Please extract the entries related to 113.163.80.152 from your access and error logs for us to look.

Hi LiteSpeed,

My site is in heavy load condition now. But the anti-ddos feature does not work efficiently.

The attachment is my log file. It seem that LiteSpeed cannot detect the IP 113.163.80.152 as the ddos IP.

LiteSpeed is a great webserver, i hope you can improve the Anti-DDOS Block feature. I suggest the feature to add the denied IPs without tell us to restart LiteSpeed.

Thanks.

 

[redstrike]

Please extract the entries related to 113.163.80.152 from your access and error logs for us to look.

I have attached the logs at the first post. That's all i have. I think the IP 113.163.80.152 tried to attack my site or cheating our views counter. I think the buit-in Anti-DDOS feature of LiteSpeed should treat it like an attacker. But it doesn't

 

[webizen]

If the IP never shows up in these logs, LiteSpeed will not capture it. How did you know the IP is attacking the site? You must have something else to show.

 

[redstrike]

If the IP never shows up in these logs, LiteSpeed will not capture it. How did you know the IP is attacking the site? You must have something else to show.

2011-08-12 16:21:50.426 INFO [113.162.196.58:1459-0#raphay.com] File not found [/home/vn2rap/domains/raphay.com/public_html/enjoy_vn2rap/lofi_mp3/vietnam/rap/Subby/Kho_Hieu_2_(Remix)_(Ft._MAC,_BlackBi,_Young_H,_Phutoro,_Kiddy)_-_Subby.smi]
2011-08-12 16:21:50.426 INFO [113.165.29.11:51044-0#raphay.com] File not found [/home/vn2rap/domains/raphay.com/public_html/enjoy_vn2rap/lofi_mp3/korea/Secret_(Band)/Madonna_(Japanese_Ver.)/02._My_Boy_(New_Arrange_Ver.)_(Japanese_Ver.)_-_Secret.smi]
2011-08-12 16:21:53.254 INFO [115.78.123.226:2471-0#raphay.com] File not found [/home/vn2rap/domains/raphay.com/public_html/enjoy_vn2rap/lofi_mp3/vietnam/rap/Gino/Thoi_Quen_Cua_Anh_-_Gino.smi]
2011-08-12 16:21:55.626 INFO [113.163.80.152:41562-0#vn2rap.com] File not found [/home/vn2rap/domains/vn2rap.com/public_html/m/#play,20213,di_luon_di_(ft._spu._pe_spy,_red).v2r]
2011-08-12 16:21:57.977 NOTICE [115.74.24.117] reached per client soft connection limit: 5 for 65 seconds, close connection!
2011-08-12 16:21:58.050 INFO [113.163.80.152:41322-0#vn2rap.com] File not found [/home/vn2rap/domains/vn2rap.com/public_html/m/#home]
2011-08-12 16:22:00.647 INFO [113.163.80.152:41736-0#vn2rap.com] File not found [/home/vn2rap/domains/vn2rap.com/public_html/m/#play,20213,di_luon_di_(ft._spu._pe_spy,_red).v2r]
2011-08-12 16:22:03.061 INFO [113.163.80.152:41331-0#vn2rap.com] File not found [/home/vn2rap/domains/vn2rap.com/public_html/m/#home]
2011-08-12 16:22:05.652 INFO [113.163.80.152:41891-0#vn2rap.com] File not found [/home/vn2rap/domains/vn2rap.com/public_html/m/#play,20213,di_luon_di_(ft._spu._pe_spy,_red).v2r]
2011-08-12 16:22:08.078 INFO [113.163.80.152:41338-0#vn2rap.com] File not found [/home/vn2rap/domains/vn2rap.com/public_html/m/#home]
2011-08-12 16:22:10.679 INFO [113.163.80.152:42043-0#vn2rap.com] File not found [/home/vn2rap/domains/vn2rap.com/public_html/m/#play,20213,di_luon_di_(ft._spu._pe_spy,_red).v2r]
2011-08-12 16:22:13.110 INFO [113.163.80.152:41340-0#vn2rap.com] File not found [/home/vn2rap/domains/vn2rap.com/public_html/m/#home]
2011-08-12 16:22:15.408 INFO [115.78.123.66:48217-0#vn2rap.com] connection to [/tmp/lshttpd/lsphp5.sock.979] on request #4, confirmed, 1, associated process: 3331, running: 1, error: Connection reset by peer!
2011-08-12 16:22:15.408 NOTICE [115.78.123.66:48217-0#vn2rap.com] POST request in process stage, fail with 503
2011-08-12 16:22:15.408 NOTICE [115.78.123.66:48217-0#vn2rap.com] oops! 503 Service Unavailable
2011-08-12 16:22:15.408 NOTICE [115.78.123.66:48217-0#vn2rap.com] Content len: 44, Request line: 'POST /m/index.php HTTP/1.1'
2011-08-12 16:22:15.408 INFO [115.78.123.66:48217-0#vn2rap.com] Cookie len: 348, SID=704da8540c8b1985cd315e5f4ab70f14; MEDIA_TPL=black_pro; HIM_on_off=1; HIM_method=0; HIM_ckspell=1; HIM_daucu=1; PHPSESSID=87098673e4760b04ec2ea1b37568bb93; __utma=32370809.1221589921.1313141160.1313141160.1313141160.1; __utmb=32370809.1.10.1313141160; __utmc=32370809; __utmz=32370809.1313141160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
2011-08-12 16:22:15.725 INFO [113.163.80.152:42076-0#vn2rap.com] File not found [/home/vn2rap/domains/vn2rap.com/public_html/m/#play,20213,di_luon_di_(ft._spu._pe_spy,_red).v2r]
2011-08-12 16:22:18.132 INFO [113.163.80.152:41342-0#vn2rap.com] File not found [/home/vn2rap/domains/vn2rap.com/public_html/m/#home]
2011-08-12 16:22:20.745 INFO [113.163.80.152:42077-0#vn2rap.com] File not found [/home/vn2rap/domains/vn2rap.com/public_html/m/#play,20213,di_luon_di_(ft._spu._pe_spy,_red).v2r]
2011-08-12 16:22:23.154 INFO [113.163.80.152:41343-0#vn2rap.com] File not found [/home/vn2rap/domains/vn2rap.com/public_html/m/#home]
2011-08-12 16:22:25.771 INFO [113.163.80.152:42138-0#vn2rap.com] File not found [/home/vn2rap/domains/vn2rap.com/public_html/m/#play,20213,di_luon_di_(ft._spu._pe_spy,_red).v2r]
2011-08-12 16:22:28.189 INFO [113.163.80.152:41350-0#vn2rap.com] File not found [/home/vn2rap/domains/vn2rap.com/public_html/m/#home]
2011-08-12 16:22:30.779 INFO [113.163.80.152:42296-0#vn2rap.com] File not found [/home/vn2rap/domains/vn2rap.com/public_html/m/#play,20213,di_luon_di_(ft._spu._pe_spy,_red).v2r]
2011-08-12 16:22:33.215 INFO [113.163.80.152:41352-0#vn2rap.com] File not found [/home/vn2rap/domains/vn2rap.com/public_html/m/#home]
2011-08-12 16:22:35.799 INFO [113.163.80.152:42452-0#vn2rap.com] File not found [/home/vn2rap/domains/vn2rap.com/public_html/m/#play,20213,di_luon_di_(ft._spu._pe_spy,_red).v2r]
2011-08-12 16:22:36.063 INFO [113.170.210.203:1383-0#raphay.com] File not found [/home/vn2rap/domains/raphay.com/public_html/enjoy_vn2rap/lofi_mp3/vietnam/rap/PCK/Hanh_Phuc_Em_Ha_(Ft._LT_Rocky,_Nhokrain_-_PCK.smi]
2011-08-12 16:22:38.674 INFO [58.186.160.14:17334-0#raphay.com] File not found [/home/vn2rap/domains/raphay.com/public_html/enjoy_vn2rap/lofi_mp3/vietnam/rap/Kimken/Dung_(Ft._Spy)_-_Kimken.smi]
2011-08-12 16:22:38.675 INFO [113.163.80.152:41353-0#vn2rap.com] File not found [/home/vn2rap/domains/vn2rap.com/public_html/m/#home]
2011-08-12 16:22:40.818 INFO [113.163.80.152:42603-0#vn2rap.com] File not found [/home/vn2rap/domains/vn2rap.com/public_html/m/#play,20213,di_luon_di_(ft._spu._pe_spy,_red).v2r]
2011-08-12 16:22:44.018 INFO [113.163.80.152:41355-0#vn2rap.com] File not found [/home/vn2rap/domains/vn2rap.com/public_html/m/#home]
2011-08-12 16:22:44.801 INFO [222.253.179.36:16209-1#vn2rap.com] File not found [/home/vn2rap/domains/vn2rap.com/public_html/lofi_mp3/vietnam/rap/Lil_Knight/Dich_Den_(Mixtape)/05._Loi_Thoat_-_LK.mp3]

Here is all i have. I don't know what is your meaning? That is IP 113.163.80.152 show up with a lot of requests like below:

2011-08-12 16:22:38.675 INFO [113.163.80.152:41353-0#vn2rap.com] File not found [/home/vn2rap/domains/vn2rap.com/public_html/m/#home]
2011-08-12 16:22:40.818 INFO [113.163.80.152:42603-0#vn2rap.com] File not found [/home/vn2rap/domains/vn2rap.com/public_html/m/#play,20213,di_luon_di_(ft._spu._pe_spy,_red).v2r]

 

[webizen]

According to your attached log, IP 113.163.80.152 pulls these two URLs (only) every 5 seconds, respectively. That rate (0.4 requests/second) is way below your current Per Client Throttling limits. You can manually add that IP to Denied List or order our advanced anti-ddos services for automate blockage.

Static Requests/second:		10
Dynamic Requests/second:		5
Outbound Bandwidth (bytes/sec):	256K
Inbound Bandwidth (bytes/sec):	0
Connection Soft Limit:		5
Connection Hard Limit:		15
Grace Period (sec):		15
Banned Period (sec):		900

 

[redstrike]

According to your attached log, IP 113.163.80.152 pulls these two URLs (only) every 5 seconds, respectively. That rate (0.4 requests/second) is way below your current Per Client Throttling limits. You can manually add that IP to Denied List or order our advanced anti-ddos services for automate blockage.

Static Requests/second:		10
Dynamic Requests/second:		5
Outbound Bandwidth (bytes/sec):	256K
Inbound Bandwidth (bytes/sec):	0
Connection Soft Limit:		5
Connection Hard Limit:		15
Grace Period (sec):		15
Banned Period (sec):		900

Although i have read the tips so many time, I quite don't understand the terms "Static" vs "Dynamic" Requests/second. Can you explain me more? which kind of request is static or dynamic? Can you give me some examples from the log which i shared?

Is Inbound Banwidth affect the upload of user? Or my site will be better if i set it to 1K (my site doesn't allow user to upload their content)

 

[webizen]

see descriptions at:

http://www.litespeedtech.com/docs/webserver/config/security/#staticReqPerSec
http://www.litespeedtech.com/docs/webserver/config/security/#dynReqPerSec

static content is the resource delivered to user exactly as stored on server such as jpg, gif, html, js files.

dynamic content (dynamically generated content) is generated by web application. the following (index.php) from your log is dynamic. the rest are hard to tell since they don't exist ("File not found") on server.

2011-08-12 16:22:15.408 NOTICE [115.78.123.66:48217-0#vn2rap.com] Content len: 44, Request line: 'POST /m/index.php HTTP/1.1'

Inbound Bandwidth is for throttling user upload. "0" means no limit. if your site does not allow upload, it doesn't really make difference to set it at 1K or 0.