DDoS Question

[grniyce]

If you look at the mod_security log, it should tell you what is being blocked. Perhaps you can paste the security alert here. Otherwise you'll need to do what I did, and that's searching through each mod_sec document in "modsecurity" and "modsecurity.d" and search for the text, kinda like when you do an edit in vB ya know? Find that text and depending upon the usage of it, you can alter the rule or remove it entirely if it's something like a blacklist. Nothing is perfect for all environments, but what I posted is for a WHM/cPanel environment. With DA I'm not sure how it compiles Apache, and what options you have and so forth. By process of elimination you can most of the time tweak the rule.

 

[-KaaL-]

If you look at the mod_security log, it should tell you what is being blocked. Perhaps you can paste the security alert here. Otherwise you'll need to do what I did, and that's searching through each mod_sec document in "modsecurity" and "modsecurity.d" and search for the text, kinda like when you do an edit in vB ya know? Find that text and depending upon the usage of it, you can alter the rule or remove it entirely if it's something like a blacklist. Nothing is perfect for all environments, but what I posted is for a WHM/cPanel environment. With DA I'm not sure how it compiles Apache, and what options you have and so forth. By process of elimination you can most of the time tweak the rule.

The problem that i face is all time i google, what i get is of cPanel/WHM.. not much for DA
so im also like you all alone..the hard way..
Still learning each day something or the other ..

===============================================
THIS IS THE FIRST TYPE ...
===============================================

POST /newreply.php?do=postreply&t=758 HTTP/1.1
Host: somedomain.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://somedomain.com/showthread.php?p=59668
Cookie: [Cookie....]
Content-Type: application/x-www-form-urlencoded
Content-Length: 382
-----------------------------------------------
HTTP/1.1 403 Forbidden
-----------------------------------------------
Message: [client <CLIENT.IP.ADDRESS>] mod_security: Access denied with code 403, [Rule: 'REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:verbiage|!ARGS:news|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:order|!ARGS:/post/|!ARGS:youtube|!ARGS:reply|!ARGS:business|!ARGS:/homePage/|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:Post|!ARGS:/^field_id/|!ARGS:area|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:/desc/|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/submit/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/url/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/' '(< ?(?:script|about|applet|activex|chrome).*(?:script|about|applet|activex|chrome) ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?(>|<)|< ?/?i?frame)'] [severity "WARNING"]

===============================================
2nd ERROR TYPE
===============================================

GET /some/image/sample.gif HTTP/1.1
Host: <CLIENT.IP.ADDRESS>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.somedomain.com.com/index.php?showtopic=19815
Cookie: <COOKIE>
------------------------------------------------
HTTP/1.1 400 Bad Request
------------------------------------------------
Message: [<CLIENT.IP.ADDRESS>] mod_security: Access denied with code 400, [Rule: 'REQUEST_HEADERS:Host' '^[\d\.]+$'] [ID "960017"] [Msg "Host header is a numeric IP address"] [severity "CRITICAL"]

 

[grniyce]

in your /usr/local/apache/mod_sec user.conf or mod_sec_user2.conf one of those files in there you will see the same rule sets that are causing those errors. Remove those two and everything will work fine. The additional mod_security rules you implemented in the modsecurity and modsecurity.d folder are more comprehensive. Then restart httpd and you should be fine.

 

[-KaaL-]

I am scanning throu all the txt files to remove those rules..
in the mean time this is the stats of an attack i just experienced.
The site went slow...

the setting i kept is
Static Requests/second : 15
Dynamic req/sec : 5
Connection Soft Limit : 50
Connection Hard Limit : 80
Max Connections : 900
Connection Timeout (secs) : 15
Max Keep-Alive Requests : 100
Keep-Alive Timeout (secs) : 3

Mod_Sec was off at this time thou.. as it was causing problems.. but as i remove those rules, i'll test it with Mod_Sec On.

 

[-KaaL-]

Today I experienced an attack..

the error people get when visiting site was

408 Request Time-out This request takes too long to process, it is timed out by the server. 
If it should not be timed out, please contact administrator of this web site to increase 'Connection Timeout'

I hardened the settings as given before. But no use.
Where can I see logs like the one mod_status gives in LiteSpeed?

 

[anewday]

Try increasing Connection Timeout (secs) to 40. Do you mean the mod_status in Apache?

 

[-KaaL-]

Try increasing Connection Timeout (secs) to 40. Do you mean the mod_status in Apache?

I was getting tht error while server was getting DDoSed..
so increasing tht would just ease the protection rite?

And i have put the setting you said earlier.. but this is not helping me against attack..

Static Requests/second - 10
Dynamic Requests/second - 2
Outbound Bandwidth (bytes/sec) - 0
Inbound Bandwidth (bytes/sec) - 0
Connection Soft Limit - 20
Connection Hard Limit - 30
Grace Period (sec) - 30
Banned Period (sec) - 3600

Max Connections : 900
Connection Timeout (secs) : 15
Max Keep-Alive Requests : 90
Smart Keep-Alive : Yes
Keep-Alive Timeout (secs) : 3

and yes im talking about the mod_status of apache.. can it work with litespeed? Because i am not getting a log of who are visitng and their Request details on LiteSpeed.

 

[anewday]

Yeah since you said people are seeing that error. But since your server is not hitting the max connections, it should be fine to ease a bit. Try setting static requests to 5 and dynamic to 1.

Litespeed doesn't have mod_status like Apache but they are working on it for version 4.2. You can just grep the domain access logs for now.

 

[anewday]

During the attack, run this command and paste it here.

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

 

[Bob.]

I was getting tht error while server was getting DDoSed..
so increasing tht would just ease the protection rite?

And i have put the setting you said earlier.. but this is not helping me against attack..

Static Requests/second - 10
Dynamic Requests/second - 2
Outbound Bandwidth (bytes/sec) - 0
Inbound Bandwidth (bytes/sec) - 0
Connection Soft Limit - 20
Connection Hard Limit - 30
Grace Period (sec) - 30
Banned Period (sec) - 3600

Max Connections : 900
Connection Timeout (secs) : 15
Max Keep-Alive Requests : 90
Smart Keep-Alive : Yes
Keep-Alive Timeout (secs) : 3

and yes im talking about the mod_status of apache.. can it work with litespeed? Because i am not getting a log of who are visitng and their Request details on LiteSpeed.

Why not set the outbound bandwidth/inbound bandwidth settings? Something like 300K outbound and 10K inbound should do. When under attack you'll also want to lower dynamic requests/second to 1 and connection soft/hard limit to around 10/20. All your other settings look fine during an attack.

Also as previously mentioned in this thread you'll want to install CSF and use it's connection tracking feature. Based on that graph you posted you should have no problem mitigating that attack with a properly tuned LSWS + CSF setup, assuming you have enough resources and a 100mbit pipe to work with.

 

[-KaaL-]

Hi Bob,

I have noted those settings and will do that incase of a DDoS Attack.

Also I have CSF installed on my server.
Here are the settings related to Connection Tracking..

CT_LIMIT  = 200
CT_INTERVAL = 30
CT_EMAIL_ALERT = 1
CT_PERMANENT = 0
CT_BLOCK_TIME = 1800
CT_SKIP_TIME_WAIT = 0
CT_STATES =
CT_PORTS =

 

[Bob.]

Hi Bob,

I have noted those settings and will do that incase of a DDoS Attack.

Also I have CSF installed on my server.
Here are the settings related to Connection Tracking..

CT_LIMIT  = 200
CT_INTERVAL = 30
CT_EMAIL_ALERT = 1
CT_PERMANENT = 0
CT_BLOCK_TIME = 1800
CT_SKIP_TIME_WAIT = 0
CT_STATES =
CT_PORTS =

During an attack you'll want to lower CT_LIMIT down to around 100, but if you set it to anything lower than that you'll probably begin to see false positives. You can use the "netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr" command to help you fine tune the limit. I would also enable permanent bans by setting CT_PERMANENT to 1 and set CT_STATES to ESTABLISHED,NEW. If you wanted to 'loosen' things a bit when your not under attack I would raise CT_LIMIT back up to 200 and disable permanent banning (so if a legitimate user does happen to get picked off, they do not have to contact you to get the block lifted) - once again reducing the risk of false positives.

 

[grniyce]

CSF Settings:
- 125 every 15 seconds (make perm or make temp 3600 seconds)
- turn off syn flood protection in csf as LSWS settings above work better

 

[anewday]

10 is too high for dynamic req/s.

 

[grniyce]

I was told to setup the dynamic req/sec to (one for every 256mb of ram)? What would you suggest?

 

[anewday]

I set mine at 2 and no one on my forum ever complained of getting 503 error due to that.

 

[-KaaL-]

Till now server seems to be running smoothly.. thanx to all who replied.

Will installing mem_cache further strenthen the server or does LiteSpeed already have some inbuilt functions to take care of it ?