DDoS Question

[-KaaL-]

Hello,

I am planning to buy LiteSpeed Enterprise for my server.
But i would just like to make sure it would be worth the price.

I am currently using the Trial Version ..
Linux CentOS 32bit with DA

I just want to get the right setting..
I have followed most of the threads.. including http://www.litespeedtech.com/how-tos.html#qa_dos

But just didnt know how to mitigate attacks from different IPs.

I read the last point there about General Context. But i didnt understand that part..

I have posted an image of a log of an attack i experience..

Thank you,
Arvind.

 

[mistwang]

Just limit the number of connections from each IP, LSWS will block IP that abuse the server automatically, no need to do anything extra unless you are hitting by a botnet with hundreds or thousands zombies.

 

[-KaaL-]

I havent posted the whole log.
Its well over UNIQUE 500 bots.
And this log has some consecutive IPs
I expect attacks with all unique IPs like a pack of 500 attacking one after the other..

 

[mistwang]

It does not matter, as long as the bot acts aggressively like the status page you posted, all of them will be blocked in short time once hit the connection limits.

 

[-KaaL-]

Static Requests/second - 25
Dynamic Requests/second - 10
Outbound Bandwidth (bytes/sec) - 0
Inbound Bandwidth (bytes/sec) - 0
Connection Soft Limit - 400
Connection Hard Limit - 500
Grace Period (sec) - 15
Banned Period (sec) - 300

Max Connections : 500
Connection Timeout (secs) : 60
Max Keep-Alive Requests : 90
Smart Keep-Alive : Yes
Keep-Alive Timeout (secs) : 3

Are these settings fine ?

 

[anewday]

Static Requests/second - 25
Dynamic Requests/second - 10
Outbound Bandwidth (bytes/sec) - 0
Inbound Bandwidth (bytes/sec) - 0
Connection Soft Limit - 400
Connection Hard Limit - 500
Grace Period (sec) - 15
Banned Period (sec) - 300

Max Connections : 500
Connection Timeout (secs) : 60
Max Keep-Alive Requests : 90
Smart Keep-Alive : Yes
Keep-Alive Timeout (secs) : 3

Are these settings fine ?

How often do you get hit with a ddos? Your settings are not aggressive. Start with these:

Static Requests/second - 10
Dynamic Requests/second - 2
Outbound Bandwidth (bytes/sec) - 0
Inbound Bandwidth (bytes/sec) - 0
Connection Soft Limit - 20
Connection Hard Limit - 30
Grace Period (sec) - 30
Banned Period (sec) - 3600

Max Connections : 900
Connection Timeout (secs) : 15
Max Keep-Alive Requests : 90
Smart Keep-Alive : Yes
Keep-Alive Timeout (secs) : 3

 

[-KaaL-]

DDoS attacks are very frequent.
Got a lot of haters lol..


Ok I have changed to those settings.
Any other settings that would be required ?

 

[anewday]

I adjusted the settings above again, should be able to mitigate very powerful attacks. Keep us posted on how it goes.

 

[-KaaL-]

well... some scripts that use AJAX wont load fast..
can you put some exclusion rules to some scripts for a particular domain or something..

 

[felosi]

Well what you have here is a classic get attack. I suppose the site is a php/mysql site? The goal of such attack is resource exhaustion, they can be difficult to mitigate but it can be done.

What I first recommend is csf firewall with connection tracking features on, you wanna make a ct_limit of about 25-60 depending on how many connections most legit users make. Then make the ban permanent - ct_perm to 1. Then turn on the mod_security failure blocking.

After you configure all that then include a good mod_security ruleset like the one from gotroot.com. I actually just made an article on my blog with a trimmed down ruleset - http://nix101.com/2009/06/25/light-mod_security-ruleset/
This will block bad and empty user agents.

Then set your litespeed settings as suggested above. I usually keep the connection limits to 5 soft, 15 hard. And even lower if needed but be careful legit users may start getting banned. It also has a lot to do with the sites as well. If they have a lot of images and other things to load it will have more requests per second as well as connections. Optimizing your site will help as well.

Then if all else fails, tail your access_log and see if you see a pattern with the user_agent like if they are all using the same user_agent. Get that and google it to see if it is a legit one, if not then just edit one of the mod_security rules for user_agents and put that one in there. Or use iptables string match to get it.

Then if all else fails try a click to enter page, a simple html page with enter link, If the attacker modifies their attack to go directly to index.php or whatever then you will be fighting a losing war and it is time to think about getting some ddos protection somewhere that has one of the click or captcha pages at the router.

Hope all this helps, good luck

 

[anewday]

Just a word of caution...the user agent can easily be spoofed, many botnets do this.

 

[grniyce]

Sasha, good mod_security rules will help with a large percentage of what you are getting hit with, and reduce the load on your server quite a bit. Due to the size of the forums you're running you'd be better with:

Static req/sec: 15
Dynamic req/sec: 5

 

[-KaaL-]

Thank you all for your responses. Ty Ant.

I have installed ClamAV and ModClamAV on my DA

Also installed Mod Security2 and have put the rules as given by Ant on the other thread.

http://www.litespeedtech.com/support/forum/showthread.php?t=2982

When i restart httpd i get this error...
LiteSpeed Administrator i get these in Error Log..

2009-06-30 00:16:25.543	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: XML:/*
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: RESPONSE_BODY
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: REQUEST_PROTOCOL
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: RESPONSE_HEADERS:Content-Encoding
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: GLOBAL:alerted_960903_compression
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: REQUEST_PROTOCOL
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: RESPONSE_STATUS
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: WEBSERVER_ERROR_LOG
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: Transfer-Encoding)/'
2009-06-30 00:16:25.546	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: REQBODY_PROCESSOR_ERROR
2009-06-30 00:16:25.546	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: REQUEST_URI_RAW

UPDATED

 

[grniyce]

Thank you all for your responses. Ty Ant.

I have installed ClamAV and ModClamAV on my DA

Also installed Mod Security2 and have put the rules as given by Ant on the other thread.

http://www.litespeedtech.com/support/forum/showthread.php?t=2982

When i restart httpd i get this error...
LiteSpeed Administrator i get these in Error Log..

2009-06-30 00:16:25.543	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: XML:/*
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: RESPONSE_BODY
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: REQUEST_PROTOCOL
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: RESPONSE_HEADERS:Content-Encoding
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: GLOBAL:alerted_960903_compression
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: REQUEST_PROTOCOL
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: RESPONSE_STATUS
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: WEBSERVER_ERROR_LOG
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: Transfer-Encoding)/'
2009-06-30 00:16:25.546	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: REQBODY_PROCESSOR_ERROR
2009-06-30 00:16:25.546	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: REQUEST_URI_RAW

UPDATED

I get some of the same errors, and I asked about them in an email to LS Support, and they responded that they don't mean anything, because if you wait a few minutes and refresh the page the errors are all gone. They are mod_security alerts, so technically you could go through the mod_security log and find out what it triggering it, but I never have and everything works fine.

 

[grniyce]

Another good tool to install and configure is MailScanner. You can protect yourself from the HTML:Iframe injections, and it works perfectly with ClamAV. Just configure everything, start it, and it scans incoming and outgoing mail for spam to protect your server from rogue spam scripts, as well as from people trying to use your server as a mail bomber / spammer / etc.

http://www.mailscanner.info/

Make sure you have all the php.ini disable_functions set in the default /usr/local/lib/php.ini
Make sure you have safe mode cgi so cgi scripts CANNOT override the default php.ini permissions (as that is what the latest crackers are using to root boxes).

I have SuPHP, Suhosin, Safe Mode, Safe CGI Mode, mod_perl, mod_security, mod_bandwidth, and when setting up packages choose for users to NOT have cgi access unless you know that person and can trust them. It's what puts you at risk for more sql injections and so forth.

I learned the hard way. Then once all that is recompiled, build matching php in LSWS.

 

[anewday]

Make sure you have safe mode cgi so cgi scripts CANNOT override the default php.ini permissions (as that is what the latest crackers are using to root boxes)

How to do this?

 

[grniyce]

I don't give anyone CGI access unless they request it for special reasons.

Note: A common misbelief is that VPS already have CGI safe-moded, but in reality it depends upon the actual setup they have. Most can be circumvented and end up rooting the entire box, hence wiping out your VPS and the rest of the raid storage; thus putting you at financial responsibility for the damage caused if it happens. You can Google 'safe mode cgi' and see the supply of workarounds.

Now as far as the protection part, well I can only offer enough knowledge to show what I did, and I use WHM/cPanel. So here are my steps I took, which I assume should exist in other Admin Panels.


Click Basic cPanel/WHM Setup and scroll to the CGI Access option and put a n there instead of a y.

Now whenever you create any new packages the CGI Access option will be unselected automatically; however, if you have already created some packages, you should edit each package and unselect CGI Access.

Now when I built Apache I chose these options by doing the exhaustive list of options and selecting all of the below. You will see the option for Safe PHP CGI.

I have also attached my default build to this post, as you can use that too, but be prepared to make some Suhosin edits in the php.ini if you run certain content. Usually just having this pasted at the bottom of the php.ini once everything is built will solve any issues associated with running Suhosin in environments such as bulletin boards.

[suhosin]
suhosin.post.max_vars = 2048
suhosin.request.max_vars = 10000
suhosin.cookie.encrypt = Off
suhosin.session.encrypt = Off
suhosin.log.sapi = 511
suhosin.get.max_value_length = 1024extension="ixed.5.2.lin"

 

[grniyce]

Sasha a few other things you should do are these:

In your /usr/local/lib/php.ini put these where it says disable_functions:

disable_functions = "fpassthru, crack_check, crack_closedict, crack_getlastmessage, crack_opendict, psockopen, php_ini_scanned_files, hell-exec, system, dl, ctrl_dir, phpini, tmp, safe_mode, systemroot, server_software, get_current_user, HTTP_HOST, php_uname, ini_restore, popen, pclose, exec, shell_exec, suExec, passthru, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, pfsockopen, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix_getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_setegid, posix_seteuid, posix_setgid, posix_times, posix_ttyname, posix_uname, posix_access, posix_get_last_error, posix_mknod, posix_strerror, posix_initgroups, posix_setsidposix_setuid, show_source, apache_setenv, define_syslog_variables, eval, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, inject_code, openlog, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, syslog, xmlrpc_entity_decode, ini_set"

now in /etc/my.cnf (this is just mine, which is on a dual Xeon 3.0ghz 4gb ram) Raghav or whomever may need to tweak yours for your specific hardware, but even applying this if you have nothing in your my.cnf will help reduce load averages and (d)dos effects

[mysqld]
datadir=/var/lib/mysql
local-infile = 0
skip-locking
skip-innodb
skip-bdb
safe-show-database
max_connections = 800
key_buffer = 64M
myisam_sort_buffer_size = 64M
join_buffer_size = 1M
read_buffer_size = 2M
sort_buffer_size = 2M
read_rnd_buffer_size = 2M
table_cache = 1024
record_buffer = 1M
thread_cache_size = 128
wait_timeout = 30
connect_timeout = 10
interactive_timeout = 10
tmp_table_size = 64M
max_heap_table_size = 64M
max_allowed_packet = 16M
max_connect_errors = 10
query_cache_limit = 1M
query_cache_size = 64M
query_cache_type = 1
thread_concurrency = 4
default-storage-engine = MyISAM

[mysqld_safe]
open_files_limit = 8192

[mysqldump]
quick
max_allowed_packet = 100M

[myisamchk]
key_buffer = 64M
sort_buffer = 64M
read_buffer = 16M
write_buffer = 16M

Also, in LSWS Admin / Configuration change the Keep Alive requests to like 100 and make the timeout 3 seconds.

As for CSF, after many many attempts to get the configuration set appropriately I found these settings work the best:

Config Server CSF Settings Word Document

 

[Cyber-DL]

Hello,

I am planning to buy LiteSpeed Enterprise for my server.
But i would just like to make sure it would be worth the price.

I am currently using the Trial Version ..
Linux CentOS 32bit with DA

I just want to get the right setting..
I have followed most of the threads.. including http://www.litespeedtech.com/how-tos.html#qa_dos

But just didnt know how to mitigate attacks from different IPs.

I read the last point there about General Context. But i didnt understand that part..

I have posted an image of a log of an attack i experience..

Thank you,
Arvind.

wow KaaL , amazing log , i'm using DA , how can i access this log for my server ?!

 

[-KaaL-]

I have done all what has been said by Ant. Appreciate it.
But the Mod Security rules you posted on the other thread forbids members to post reply or post a new thread ... i think some settings has to be lowered..

Thank you again..

wow KaaL , amazing log , i'm using DA , how can i access this log for my server ?!

APACHE 1.x
http://httpd.apache.org/docs/1.3/mod/mod_status.html

APACHE 2.x
http://httpd.apache.org/docs/2.2/mod/mod_status.html