How to protect against some sort of layer 7 flood

Indrek

New Member
#1
Hi again..

I've been getting some sort of flood on my forum lately.. it takes my PHP cpu load average from 0,6 to 10+ sometimes.

I'm used to getting ddosed, since I run game servers.. and I have lots of protections. Even cloudflare.

When I look at my access logs I see one IP flooding the server.. usually one IP at the time.
When I Block it, it's solved until they use another ip..

Is there a way to automatically stop this sort of flood and ddos in OLS? Or What should I do?
This High PHP cpu usage is a problem for other services as well.

So here's a sample of the access log.. IP is not changed. That's the flooder, looks like it's his real home IP. But I changed my sites name for now. Just in case.

Code:
82.131.77.174 - - [28/Sep/2016:20:33:54 +0300] "GET /forumdisplay.php?datecut=10&fid=791&order=desc&prefix=WEB-INF%5cweb.xml&sortby=subject HTTP/1.1" 200 4938 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:54 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:54 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:54 +0300] "GET /forumdisplay.php?datecut=10&fid=878&order=asc&sortby=%252fetc%252fpasswd HTTP/1.1" 200 4652 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:54 +0300] "GET /search.php HTTP/1.1" 403 3920 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:54 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:54 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:51 +0300] "GET / HTTP/1.1" 200 6716 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:54 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:54 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:54 +0300] "GET /forumdisplay.php?datecut=10&fid=791&order=desc&prefix=../../../../../../../../../../etc/passwd&sortby=lastpost HTTP/1.1" 200 4945 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:54 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:54 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:54 +0300] "GET /forumdisplay.php?datecut=10&fid=878&order=asc&sortby=/.././.././.././.././.././.././.././../etc/./passwd%2500 HTTP/1.1" 200 4652 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:54 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:54 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:54 +0300] "GET /search.php HTTP/1.1" 403 3920 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:54 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:55 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:54 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:55 +0300] "GET /forumdisplay.php?datecut=10&fid=791&order=desc&prefix=../../../../../../../../../../../../../../../proc/version&sortby=lastpost HTTP/1.1" 200 4945 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:55 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:55 +0300] "GET /forumdisplay.php?datecut=10&fid=878&order=asc&sortby=../..//../..//../..//../..//../..//../..//../..//../..//etc/passwd HTTP/1.1" 200 4652 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:55 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:55 +0300] "GET /showthread.php HTTP/1.1" 404 4189 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:55 +0300] "GET /search.php HTTP/1.1" 403 3920 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:55 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:55 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:55 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:55 +0300] "GET /forumdisplay.php?datecut=10&fid=791&order=desc&prefix=..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%2500.jpg&sortby=lastpost HTTP/1.1" 200 4945 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:55 +0300] "GET /forumdisplay.php?datecut=10&fid=878&order=asc&sortby=../.../.././../.../.././../.../.././../.../.././../.../.././../.../.././etc/passwd HTTP/1.1" 200 4652 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:55 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:55 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:55 +0300] "GET /search.php HTTP/1.1" 403 3920 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:55 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:55 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:55 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:55 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:56 +0300] "GET /forumdisplay.php?datecut=10&fid=791&order=desc&prefix=../../../../../../../../../../etc/passwd%00.jpg&sortby=lastpost HTTP/1.1" 200 4950 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:55 +0300] "GET /forumdisplay.php?datecut=10&fid=878&order=asc&sortby=..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afetc/passwd HTTP/1.1" 200 4647 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:56 +0300] "GET /search.php HTTP/1.1" 403 3920 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:56 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:56 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:56 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:56 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:56 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:56 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:56 +0300] "GET /forumdisplay.php?datecut=10&fid=791&order=desc&prefix=..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%2500.jpg&sortby=lastpost HTTP/1.1" 200 4945 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:56 +0300] "GET /forumdisplay.php?datecut=10&fid=878&order=asc&sortby=invalid../../../../../../../../../../etc/passwd/././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././. HTTP/1.1" 200 4652 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:56 +0300] "GET /search.php HTTP/1.1" 403 3920 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:56 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:56 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:56 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:56 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:56 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:56 +0300] "GET /forumdisplay.php?datecut=10&fid=791&order=desc&prefix=/../..//../..//../..//../..//../..//etc/passwd%00.jpg&sortby=lastpost HTTP/1.1" 200 4945 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:56 +0300] "GET /search.php HTTP/1.1" 403 3920 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:56 +0300] "GET /forumdisplay.php?datecut=10&fid=878&order=asc&sortby=file:///etc/passwd HTTP/1.1" 200 4647 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:56 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:56 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:56 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:56 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:56 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:57 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:57 +0300] "GET /forumdisplay.php?datecut=10&fid=791&order=desc&prefix=.%5c%5c./.%5c%5c./.%5c%5c./.%5c%5c./.%5c%5c./.%5c%5c./etc/passwd&sortby=lastpost HTTP/1.1" 200 4945 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:57 +0300] "GET /search.php HTTP/1.1" 403 3920 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:57 +0300] "GET /forumdisplay.php?datecut=10&fid=878&order=asc&sortby=/%5c../%5c../%5c../%5c../%5c../%5c../%5c../etc/passwd HTTP/1.1" 200 4652 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:57 +0300] "GET /showthread.php HTTP/1.1" 500 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:57 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:57 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:57 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:57 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:57 +0300] "GET /search.php HTTP/1.1" 403 3920 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:57 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:57 +0300] "GET /forumdisplay.php?datecut=10&fid=791&order=desc&prefix=/etc/passwd&sortby=lastpost HTTP/1.1" 200 4945 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:57 +0300] "GET /forumdisplay.php?datecut=10&fid=878&order=asc&sortby=WEB-INF/web.xml HTTP/1.1" 200 4647 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:57 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:57 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:57 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:54 +0300] "GET / HTTP/1.1" 200 6716 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:57 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:57 +0300] "GET /search.php HTTP/1.1" 403 3920 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:57 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:57 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:58 +0300] "GET /showthread.php HTTP/1.1" 404 4294 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:57 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:57 +0300] "GET /forumdisplay.php?datecut=10&fid=878&order=asc&sortby=/WEB-INF/web.xml HTTP/1.1" 200 4647 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:58 +0300] "GET /forumdisplay.php?datecut=10&fid=791&order=desc&prefix=%252fetc%252fpasswd&sortby=lastpost HTTP/1.1" 200 4945 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:58 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:58 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:58 +0300] "GET /search.php HTTP/1.1" 403 3920 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:58 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:58 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:58 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:58 +0300] "GET /showthread.php HTTP/1.1" 404 3654 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:58 +0300] "GET /forumdisplay.php?datecut=10&fid=878&order=asc&sortby=WEB-INF%5cweb.xml HTTP/1.1" 404 3461 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:58 +0300] "GET /forumdisplay.php?datecut=10&fid=791&order=desc&prefix=/.././.././.././.././.././.././.././../etc/./passwd%2500&sortby=lastpost HTTP/1.1" 404 3461 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:58 +0300] "GET /showthread.php HTTP/1.1" 404 3693 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:58 +0300] "GET /search.php HTTP/1.1" 404 3449 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:58 +0300] "GET /showthread.php HTTP/1.1" 404 3693 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:58 +0300] "GET /showthread.php HTTP/1.1" 404 3693 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:58 +0300] "GET /showthread.php HTTP/1.1" 404 3693 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:58 +0300] "GET /showthread.php HTTP/1.1" 404 3693 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
82.131.77.174 - - [28/Sep/2016:20:33:58 +0300] "GET /forumdisplay.php?datecut=10&fid=878&order=asc&sortby=../../../../../../../../../../windows/win.ini HTTP/1.1" 404 3461 "http://forum.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" "forum.google.com"
 
Last edited:

lsfoo

Administrator
#2
Indrek,

We're not 100% sure if it works in openlitespeed, but please try our throttle control settings. Under server->security->per client throttling. You can modify req/sec allowed or bandwidth allowed. To test, you can try to simulate overloading the server to see if it is limited.
 

Indrek

New Member
#3
okay. new values:

Static Requests/second - 3
Dynamic Requests/second - 3
Outbound Bandwidth (bytes/sec) - 3M
Inbound Bandwidth (bytes/sec) - 3M

But I'm not sure how to overload my server :D

And I don't think it works. Because I had those values on 5 and 10 before. like:
Static Requests/second - 5
Dynamic Requests/second - 10

It should have blocked that flood before.
 

Indrek

New Member
#5
** SIEGE 3.1.4
** Preparing 20 concurrent users for battle.
The server is now under siege...

HTTP/1.1 200 7.99 secs: 6661 bytes ==> GET /index.php
HTTP/1.1 200 8.00 secs: 6661 bytes ==> GET /index.php
HTTP/1.1 200 8.06 secs: 6661 bytes ==> GET /index.php
HTTP/1.1 200 8.10 secs: 6661 bytes ==> GET /index.php
HTTP/1.1 200 8.18 secs: 6661 bytes ==> GET /index.php
HTTP/1.1 200 8.26 secs: 6661 bytes ==> GET /index.php
...
HTTP/1.1 404 0.75 secs: 3439 bytes ==> GET /index.php
HTTP/1.1 404 0.74 secs: 3439 bytes ==> GET /index.php
HTTP/1.1 404 0.64 secs: 3439 bytes ==> GET /index.php
HTTP/1.1 404 0.57 secs: 3439 bytes ==> GET /index.php
HTTP/1.1 404 0.39 secs: 3439 bytes ==> GET /index.php
HTTP/1.1 404 0.70 secs: 3439 bytes ==> GET /index.php
...

At first the status is 200 but after a few seconds it's all 404

Lifting the server siege.. done.

Transactions: 1328 hits
Availability: 100.00 %
Elapsed time: 59.83 secs
Data transferred: 4.48 MB
Response time: 0.89 secs
Transaction rate: 22.20 trans/sec
Throughput: 0.07 MB/sec
Concurrency: 19.86
Successful transactions: 40
Failed transactions: 0
Longest transaction: 8.68
Shortest transaction: 0.26


I'm not sure if it's a correct result if most of the results were 404.
but the cpu load average was still high.
 

lsfoo

Administrator
#6
We will have to take a look internally to see if it is working. We expect that upon crossing the threshold, it should be returning 403, not 404.
 

Indrek

New Member
#7
I have cloudflare enabled.

Could it be that OLS has some kind of conflict with CF and it won't get the real IPs but it sees only the CF IPs?
 
Top