Understanding LiteSpeed Denial of Service Packet Filter Setup Service

LiteSpeed Denial of Service Packet Filter Setup Service will fine-tune the anti-DDoS configuration and set up iptables to automatically block attacking IPs detected by the web server. 

This is sufficient for many common attack scenarios. In cases of extreme attacks, this service will not be sufficient, and only custom / hourly support may be appropriate.

In order to determine whether the service fits your needs, we will need to identify the type of attack your site is experiencing - for example, whether it is targeting layer 4 (IP/port) or 7 (HTTP/URL), what the scale of the attack is, how many bots are in the attacking botnet, and whether you have layer 3 protection at the firewall level for synflood attacks.

For example, LiteSpeed Advanced Anti-DDoS Setup will efficiently protect against Layer 7 HTTP and Layer 4 TCP bot attacks, but not against a Layer 3 SYN Flood attack.  SYN Flood sends SYN packets with spoofed source IP addresses and requires Layer 3 protection at the firewall level. If a TCP connection is established, it is a Layer 4 attack, but if a TCP connection is not established, it is Layer 3.

Layer 4 TCP connection floods can be detected and blocked by the LiteSpeed Advanced Anti-DDos Setup Layer 4 connection hard limit settings.

For large scale attacks, server kernel level settings may need to be adjusted to handle the large amount of HTTP requests during the attack.

Generally speaking, LiteSpeed can handle up to 1000 bots without a problem. If bot number are well over 1000, while the LiteSpeed Web Server can handle the concurrent connections, typically server memory or PHP execution become bottlenecks. LiteSpeed Web Server can be configured to cache the attacked page, reducing the server/PHP resources  and increasing the server's overall capacity, but this is an example that is well beyond the scope of this service.

When you have a front-end proxy/CDN, the Denial of Service Packet Filter Setup may not work, since it blocks attacking robots at the IP level with iptables. When there is a front proxy, it only sees the IP of the proxy, and it cannot block the proxy IP, as all traffic is coming from that IP. If you have CloudFlare Pro or a similar service already, you may not need the Denial of Service Packet Filter Setup Service since they do a similar job.


  • 5 Users Found This Useful
Was this answer helpful?

Related Articles

Performance Tuning

The default LiteSpeed Web Server configuration is suitable for most hosting environments. In...

WordPress Cache Support Services

LSCWP provides comprehensive optimization functionality for your WordPress installation(s). With...