LiteSpeed and DDoS Attacks


Recommended Posts

It can eat a lot of connections but 100,000 or more is when you run into problems. So we have the system set to 100,000 connections (kernel setting) and the malicious user is using more than that. Well the kernel starts dropping connections unless we either do one of the following

  1. Increase connection limits
  2. Drop the bad connections

The problem with 1. is with that many connections the CPU usage from it starts to be substantial. With number 2 well you need to design your dropping based on the types of connections. So we did that on Venus and Titan when we figured out the attack. We also used the Cisco Guard on both so we did not have to be doing this sort of filtering.

Link to comment
Share on other sites

First Titan, then Venus was attacked - both within the same day. These attacks probably originate from the same malicious user. Were they attacking websites belonging to one of your customers or were the attacks aimed at servers belonging to Hawk Host? If the latter, I'm concerned the rest of your servers will be attacked subsequently.

Link to comment
Share on other sites

It was two unrelated attacks. One was at a reseller and another one was at one of our shared IP's. Obviously an attacker if they were targeting us specifically would have hit strictly our shared IP's not some random reseller IP in another range. We're keeping an eye on things though

Link to comment
Share on other sites

  • 3 weeks later...
Implementing an intrusion detection system (IDS) is a good idea to prevent DDoS attacks. Would this be installed on Hawk Host's servers, if not now, maybe some time in the future?

We can already identify attacks. It's stopping certain types of attacks that are difficult. Typical attacks most providers see are http get floods which are very easy to block. The tough ones to block are syn floods which you can try to mitigate but the only real way is to use a cisco guard or some other mitigation device. Unfortunately the guard will not turn on if it's only a few hundred mbits. But a few hundred mbit syn flood will create millions of partial connections. So we identify the attack and ask for protection and hope it stops it.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.