Problem with a DoS attack and reverse proxy

track1

Well-Known Member
#1
Hello,
im running a site with a reverse proxy service (cloudflare).

Settings are set as indicated:

Server > General Settings > Use Client IP in Header: Trusted IP Only
Server > Security > Allowed List: ALL + full list of proxy IPs with T (trusted)

Under normal usage everything works ok and visitors IPs are logged correctly.

But today we had an attack, and system didn't work as expected:

For some queries (attack queries) Litespeed error log was logging cloudflare IPs instead attacker IP (some problem interpreting headers? some problem with cloudflare sending headers?).

That means, litespeed ddos Per Client Throttling feature doesn't work because IPs are not detected, and attack have more effect.

Log:

Code:
2015-01-16 01:08:07.979 [INFO] [108.162.212.29:20202-0] Status 400: Unexpected request body 8 bytes for request: /!
2015-01-16 01:08:07.284 [INFO] [108.162.212.29:57857-0] Status 400: Unexpected request body 8 bytes for request: /!
2015-01-16 01:08:07.101 [INFO] [108.162.212.29:33165-0] Status 400: Unexpected request body 8 bytes for request: /!
2015-01-16 01:08:06.452 [INFO] [108.162.212.29:11579-0] Status 400: Unexpected request body 8 bytes for request: /!
2015-01-16 01:08:04.881 [INFO] [108.162.212.29:36745-0] Status 400: Unexpected request body 8 bytes for request: /!
2015-01-16 01:08:04.867 [INFO] [108.162.212.29:44877-0] Status 400: Unexpected request body 8 bytes for request: /!
2015-01-16 01:08:04.442 [INFO] [108.162.212.29:56000-0] Status 400: Unexpected request body 8 bytes for request: /!
2015-01-16 01:08:02.802 [INFO] [108.162.212.29:35227-0] Status 400: Unexpected request body 8 bytes for request: /!
2015-01-16 01:08:02.525 [INFO] [108.162.212.29:57799-0] Status 400: Unexpected request body 8 bytes for request: /!
2015-01-16 01:08:02.506 [INFO] [108.162.212.29:41828-0] Status 400: Unexpected request body 8 bytes for request: /!
 

track1

Well-Known Member
#2
After more checking, it seems everything is ok, but a coincidence..
All attacker IPs are logged and IPs from proxy are generated by a coincident problem!
 
Top