OK here's the deal... I'm running a site, along with a friend of mine. We're running those site off a dedicated server. It has a dual core and 2gb of ram. He's running a site with exactly the same script, just a different design. The difference is that his site is much bigger, and gets much more unique visitors. Both of these site use a massive amount of resources, they're very resource intensive, using Mysql very much. When his site is running at max. the server load gets 3.00 max.. Lately, my friend and me have noticed a massive increase of server load when my site got lots of people online. The server load went from 1.80 up to 28.00!!! Forcing him to suspend my site (he's the server administrator, I only got access to cpanel). This is very odd, because both sites are running with the same script, and he get a lot more users visiting his site. I tried replacing the php files with his, checking the database, and even checking traffic logs. And I noticed VERY weird things. I think my site is getting attacked by a DDoS, because I get 8x (!!) the amount of reqs. He does, and about a gig more bandwidth used up by me. Now I tried putting my site down, the server load went from 20.00 to nearly 0.80. What a dramatic decrease! Then when I put the site back up, it was idling around 3.00-4.00 and suddenly jumped back to 20.00 and still increasing!! It got to 26.00 and yet again I had to put my site down and placed a notice on there. Until now my site is down, I have no clue what to do, neither does my friend. I tried blocking ip ranges from China (because that's were most bot users come from, I think..), but it didn't help.. Please help me out, I'm desperate
Why don't you try LiteSpeed webserver? I m using it and the server load is just fine,always under 1. www.litespeedtech.com They offer installation for $150 But I can do it for you for an affordable and cheap price. Plus , I can install Firewall for you so that it will block all IPs that are causing lot of hits , It has lot of features. PM me if you are interested. We use LiteSpeed webserver Our server load is 0.1 to 1.5 around all the day, but will increase to 5 or 6 if the cpanel log is updating or taking some backups. That will be for some few minutes only. Also, LiteSpeed can block dos attacks very easily. Vivek
Hello thank you, please note, The LiteSpeed installation require root access, I think your friend is having the root access.
Yes I know. I just contacted him, he's going to give me root access when he wakes up (he's sleeping now).
No problem. ok, please take a look at the LiteSpeed Webserver website at www.litespeedtech.com Read the features etc May I ask, how many domains do you have ? Because they offer litespeed standard version for free of cost which can be used on your server if you have less than 5 websites. Vivek
Just for correction: - free version of Litespeed is good for 5 virtual_hosts, including domain and sub-domains. It's different than 5 web sites - $150 product is just for VPS or one-core CPU. By installing that version, your CPU will be processed as one-core only, so you will miss the second-core, as your CPU is dual-core My advice: before switching to Litespeed, you might want to optimize current apache, mysql, as your site is database-driven one
Should also look into installing Zend Optimisor and ionCube loader onto the machine if it is not already installed as well as optimizing apache and mysql. Get your friend to install mod_dosevasive and mod_security with apache and that should prevent most of the DDoS attacks, as a second layer of protection have him add APF or CSF firewall to the machine to block the DDoS attacks.
His friend will not share server login with anybody. So this posts are meaningless and wastage of time. Tell your friend to trust somebody at least for a better security. Zend Optmizer and Ioncube loaders are not going to help you for protecting the server as they are just some plugins needed for decoding the encoded php scripts As far as I know, Apache and mod_security cant prevent DDOS attacks. The ddos firewall must be from the datacenter. I think grk519 is telling about DOS attacks.
Yea, Thats right .it is for 5 virtaul hosts. I simply typed "websites" thinking that he will not understand what is virtal hosts etc. $150 is the installation and initial configuration charge. It is the same for single core, double core or 4 core license. The Single core LiteSpeed enterprise version will also work great on a dual core machine, but if you can afford the dual core license rate, then you can buy it.. There is a 14 days trial , You can install and use it. If you like ,then you can buy monthly license
If someone is ddos'ing your site with massive amounts of gets (to overload your sql server) and you have a dedicated ip for your site.. The best and easy thing to do would be to just use iptables to rate limit incoming connections to :80 on your ip. It's 2 lines of iptables code to do the job, here you go: iptables -I INPUT -p tcp --dport 80 -d 0.0.0.0/0 -i + -m state --state NEW -m recent --set iptables -I INPUT -p tcp --dport 80 -d 0.0.0.0/0 -i + -m state --state NEW -m recent --update --seconds 12 --hitcount 8 -j DROP replace 0.0.0.0/0 with your ip.. --hitcount is the number of hits before a ban occurs.. --seconds is the ban length as well as the seconds in which that 8 hits has to come in. So, this is currently configured to check port 80 on any ip on any interface for more than 8 connections per 12 seconds, and if a hit occurs will ban that ip for 12 seconds.. (IIRC) You also need to keep in mind, ***if apache is NOT set to "KeepAlive On" this will NOT help you***. Here is the reason. When a user comes to your site and they request a page if keepalive is not turned on, it will make multiple connections to request images, etc associated with the site. When keepalive is turned on, it requests all of that data through a single stream. If someone is using a script like I'm suggesting to attack your servers then they will simply be grabbing the html code and not the images (so it should be relatively easy to parse this out of your log files to find out.. Look for hosts requesting php or html files but not requesting images.. Note: search engines will also not request images).. What ends up happening is that your normal users get banned and the bot is allowed to continue.. However, if keepalive is turned on, when a user grabs this data its through a single thread. And someone is spamming connections to your site to overload your SQL server the spammer would create many times more connections than your normal user would and as a result they will be banned and your normal users will be allowed to continue.
Thank you very much for your posts! Especially tsenseless, very useful info... As I type now the site has been fixed, basically the problem was a specific file that used a very bad way to access mysql. And considering there were 200K rows (5K new ones a day) that had to be accessed, it was causing lots of lag and what I did was deleted those 200K rows and load issue got fixed.
ok... although you might want to look into the security of the server as well and ensure all the updates are installed so you arent back next week thinking it's the same problem again