Anti Flood attack?

[saosangmo]

Hi all,
On one vhost, I see many thousands of lines:

102.116.116.98 - - [08/May/2014:11:04:24 +0700] "GET / HTTP/1.1" 200 248 "-" "-"
102.116.116.98 - - [08/May/2014:11:04:24 +0700] "GET / HTTP/1.1" 200 248 "-" "-"
102.116.116.98 - - [08/May/2014:11:04:24 +0700] "GET / HTTP/1.1" 200 248 "-" "-"
102.116.116.98 - - [08/May/2014:11:04:24 +0700] "GET / HTTP/1.1" 200 248 "-" "-"
102.116.116.98 - - [08/May/2014:11:04:24 +0700] "GET / HTTP/1.1" 200 248 "-" "-"
102.116.116.98 - - [08/May/2014:11:04:24 +0700] "GET / HTTP/1.1" 200 248 "-" "-"
102.116.116.98 - - [08/May/2014:11:04:24 +0700] "GET / HTTP/1.1" 200 248 "-" "-"
102.116.116.98 - - [08/May/2014:11:04:24 +0700] "GET / HTTP/1.1" 200 248 "-" "-"
102.116.116.98 - - [08/May/2014:11:04:24 +0700] "GET / HTTP/1.1" 200 248 "-" "-"
102.116.116.98 - - [08/May/2014:11:04:24 +0700] "GET / HTTP/1.1" 200 248 "-" "-"
102.116.116.98 - - [08/May/2014:11:04:24 +0700] "GET / HTTP/1.1" 200 248 "-" "-"
102.116.116.98 - - [08/May/2014:11:04:24 +0700] "GET / HTTP/1.1" 200 248 "-" "-"
102.116.116.98 - - [08/May/2014:11:04:24 +0700] "GET / HTTP/1.1" 200 248 "-" "-"
102.116.116.98 - - [08/May/2014:11:04:25 +0700] "GET / HTTP/1.1" 200 248 "-" "-"
102.116.116.98 - - [08/May/2014:11:04:25 +0700] "GET / HTTP/1.1" 200 248 "-" "-"
102.116.116.98 - - [08/May/2014:11:04:25 +0700] "GET / HTTP/1.1" 200 248 "-" "-"
102.116.116.98 - - [08/May/2014:11:04:25 +0700] "GET / HTTP/1.1" 200 248 "-" "-"
102.116.116.98 - - [08/May/2014:11:04:25 +0700] "GET / HTTP/1.1" 200 248 "-" "-"
102.116.116.98 - - [08/May/2014:11:04:25 +0700] "GET / HTTP/1.1" 200 248 "-" "-"

It caused my server over usage.

In the future, if I can terminate all of the same requests automatically?

thanks

 

[BBM]

A "D"DOS attack will come from many different IP's.
Your attack comes from one IP it seems.

I'm not to experienced with CSF/LPF, but doesn't it have some sort of flood-prevention for this type of hits?

 

[saosangmo]

oh, sorry, this is a flood attack type.
Could anybody help me config CSF to prevent this attacker in the future.
thanks

 

[nobaloney]

I've renamed the thread to indicate the emphasis on flood prevention.

You can check the CSF configuration from DirectAdmin. Search for the word flood.

One section to look at: Port Flood Settings

Jeff

 

[saosangmo]

ok, thank NoBaloney!
I see it.

 

[@how@]

Only hardware help you from flood no app will help you, so don't wast your time.

 

[Arieh]

Only hardware help you from flood no app will help you, so don't wast your time.

In case it's just one IP address trying to flood your webserver, CSF works fine.

 

[nobaloney]

As I see it, you're both right. If it's too large an attack you probably want to block it upstream from your server if your upstream wll cooperate and has the equipment. Simply because it's possible to overload your local system if you're relying on your own firewall.

Best bet is for your upstream to null-route any requests from that IP#. But many of us are likely on our own.

Jeff

 

[Richard G]

Could it be a slowloris attack in this case?