For the life of me, I can't find the destination url mentioned on the stats page.

[brettdavidsonnz]

It's very useful to know what url is being hit when a ddos (or almost any other issue) occurs.

Am I missing something really obvious here or do I have to trawl through the vhost's access log?

Cheers,
Brett.

 

[mistwang]

Yes, you need to go through the access log for the URL.

 

[brettdavidsonnz]

Bummer

That counts Litespeed out for me then.

Service-status with the apache extended-status option enabled allows us to see the url requested - invaluable in trying to determine where possible faults might lie.

Is this ability going to be in Litespeed anytime soon?

 

[xing]

LiteSpeed uses a more aggressive and more efficient way of handling dos attacks. When the IP source hits defined throttle ceilings, the request is stopped at earliest possible detection stage.. When an IP hits throttle, LiteSpeed doesn't waste any resources parsing that request's HTTP header/payload.

This is the reason why LiteSpeed does not log request destination of clients that are over the throttle limit.

Imagine a case of 100 simultaneous 1MB HTTP POST attack by a single DoS source. Why bother even parsing any part of the request. If it's over the connection/bandwidth limit, just deny the request.

Apache gave you the http destination because it just wasted resources parsing a payload that's already a security risk to begin with.

 

[mistwang]

LiteSpeed mainly deal with DDoS attack automatically based on various throttling limit. No manual check needed under attack. The IPs hitting the limit has been logged in error.log .

Next release, we will add an option to block bad IPs with firewalls automatically, so the bots not even able to reach the web server port any more.

We plan to add content based DDoS detection in our advanced Anti-DDoS product, our current anti-DDoS feature is already the most powerful solution implemented inside a web server.

 

[ts77]

mistwang, while you are at it: how about something like a sliding window? e.g. having 10 requests in 10 seconds or something. I wouldn't want to block someone with more than one request per second as this can happen but if it happens for more than a couple of seconds ... .
also I'd like to configure exceptions for the limits e.g. for benchmarks or special ip-ranges (I don't want to stop the google crawler from indexing ... ).

yes, currently I'm doing all this in the php-scripts accessed but would be nice to have it in the webserver itself.

 

[mistwang]

Request rate limit only slow it down, will not result in being blocked.
Only when number of connections reach the limit, it will be banned.
Adding IP/subnet to trusted IP list at server level access control will bypass all per IP throttling.

So, current litespeed can do pretty much what you need now.

 

[ts77]

I know, thats really going offtopic now but I just want to continue that.
Where's the "Trusted IP list"? Do you mean the allowed list in access control?
Edit: oh, found the explanation in the docs for allowed list in access control

If you have trusted IP or sub-network, then you must specify them in allowed list by adding a trailing "T" such as 192.168.1.*T. Trusted IP or sub-network is not limited by connection/throttling limit.

Also how would I implement my above requirement with raw lsws?
I want to limit requests to dynamic content to ~20 requests per 10 seconds - mainly for kicking agressive offline-browsing tools.
Static content can be downloaded with as many requests as wanted (don't have large static content, just some icons/images).

 

[mistwang]

Also how would I implement my above requirement with raw lsws?
I want to limit requests to dynamic content to ~20 requests per 10 seconds - mainly for kicking agressive offline-browsing tools.
Static content can be downloaded with as many requests as wanted (don't have large static content, just some icons/images).

Just set "Dynamic request per second" to 2, and set "Static rquest per second" to "100". It only slow the client down, will not ban a client because of requesting more than 2 pages of dynamic content at the same time.

 

[ts77]

yeah but I want them to be blocked if they reach the limit, not just slowed down .

 

[mistwang]

If they consistently doing that, their connection limit will reach, then banned.

 

[anewday]

Next release, we will add an option to block bad IPs with firewalls automatically, so the bots not even able to reach the web server port any more.

We plan to add content based DDoS detection in our advanced Anti-DDoS product, our current anti-DDoS feature is already the most powerful solution implemented inside a web server.

Seems both aren't in the new versions, have they been dropped from the list?