speedturtle Posted October 17, 2009 Report Share Posted October 17, 2009 Titan and Venus were under DDoS attacks recently. I thought LiteSpeed can prevent DDoS attacks? Quote Link to comment Share on other sites More sharing options...
Tony Posted October 17, 2009 Report Share Posted October 17, 2009 It can eat a lot of connections but 100,000 or more is when you run into problems. So we have the system set to 100,000 connections (kernel setting) and the malicious user is using more than that. Well the kernel starts dropping connections unless we either do one of the following Increase connection limitsDrop the bad connections The problem with 1. is with that many connections the CPU usage from it starts to be substantial. With number 2 well you need to design your dropping based on the types of connections. So we did that on Venus and Titan when we figured out the attack. We also used the Cisco Guard on both so we did not have to be doing this sort of filtering. Quote Link to comment Share on other sites More sharing options...
speedturtle Posted October 18, 2009 Author Report Share Posted October 18, 2009 First Titan, then Venus was attacked - both within the same day. These attacks probably originate from the same malicious user. Were they attacking websites belonging to one of your customers or were the attacks aimed at servers belonging to Hawk Host? If the latter, I'm concerned the rest of your servers will be attacked subsequently. Quote Link to comment Share on other sites More sharing options...
Tony Posted October 18, 2009 Report Share Posted October 18, 2009 It was two unrelated attacks. One was at a reseller and another one was at one of our shared IP's. Obviously an attacker if they were targeting us specifically would have hit strictly our shared IP's not some random reseller IP in another range. We're keeping an eye on things though Quote Link to comment Share on other sites More sharing options...
GuitarCrazyo Posted November 3, 2009 Report Share Posted November 3, 2009 You are looking for a IDS and the only one I know but havent used is Snort. It should be capable of identifying DDOS attacks. Quote Link to comment Share on other sites More sharing options...
speedturtle Posted November 4, 2009 Author Report Share Posted November 4, 2009 Implementing an intrusion detection system (IDS) is a good idea to prevent DDoS attacks. Would this be installed on Hawk Host's servers, if not now, maybe some time in the future? Quote Link to comment Share on other sites More sharing options...
Tony Posted November 4, 2009 Report Share Posted November 4, 2009 Implementing an intrusion detection system (IDS) is a good idea to prevent DDoS attacks. Would this be installed on Hawk Host's servers, if not now, maybe some time in the future? We can already identify attacks. It's stopping certain types of attacks that are difficult. Typical attacks most providers see are http get floods which are very easy to block. The tough ones to block are syn floods which you can try to mitigate but the only real way is to use a cisco guard or some other mitigation device. Unfortunately the guard will not turn on if it's only a few hundred mbits. But a few hundred mbit syn flood will create millions of partial connections. So we identify the attack and ask for protection and hope it stops it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.