Safe value for DDOS deflate

[Yogesh Sarkar]

Just wanted to know what would be a safe connection value for DDOS deflate for a vbulletin forum which allows image attachments and usually has posts which has 20+ attachment images being displayed inline apart from the numerous forum icons and avatars.

I was thinking of installing DDOS deflate but don’t want my users to experience any problem while accessing my sites.

 

[Dan]

Hello Yogesh,

I'd say to start out at 100-150 or if you're worried 200. Let your users know your installing it and if you get notices of valid users getting blocked then you can always unblock them and raise the limit.

Another thing to watch for is your cPanel updates, sometimes the update servers will get blocked and you'll need to allow them.

 

[Yogesh Sarkar]

Thanks Dan, btw do you know about any user manuals for it? The mediatemple page only provides instructions on how to install it. Even though I am going to bug the support team for installing this and few more updates, I think learning a little bit about it would help, especially in case any users get blocked.

 

[rezag]

Having a vBulletin forum (but not that many attachments) I have had to settle at 250 otherwise I would get numerous blocks.

 

[Dan]

No problem Yogesh!

It works best if you have APF running on your server as well as in the config file you enable APF integration and then you can simply modify the APF block/allow files as needed.

It's been a little while since I ran either of these on my VPS. The installer will install ddos.conf which is a very small file and in addition to that you'd use the APF configuration files which are in /etc/apf.

Personally I say go with CSF/LFD which will give you all that functionality with one install with WHM integration. It's well documented and they have a user forum as well.

 

[KH-Paul]

rezag - 250 is a lot. Do you have KeepAlive enabled in Apache config? If not, try to enable and see what will happen with connections.

Yogesh - I would personally start with something like 100 connections and block time for 1 minute (60 seconds) with email notifications enabled - this way you'll get an email when some IP will be blocked and will be able to see if this will affect your actual site members. Even if it will quick block for 1 minute shouldn't cause much harm. Once you'll settle to specific number of connections it will make sense to bump block time to 600 seconds (default) or higher value depending on how often you'll be hit from the same IPs.
It is extremely easy to install (D)DoS-Deflate - all that needs to be done is to copy & paste commands listed in the installation section at http://deflate.medialayer.com/
Once tool is installed you can edit its config located at /usr/local/ddos/ddos.conf to adjust blocking type (APF / iptables), number of connections, block time and email address for notifications. Any text editor like "vi" can be used to edit the file. Alternatively you can access the config file through tools like WinSCP.

 

[rezag]

rezag - 250 is a lot. Do you have KeepAlive enabled in Apache config? If not, try to enable and see what will happen with connections.

I will try that, thank you.