DDOS Protection to HTTP - Ex. mod_evasive to apache with custombuild

[jwillberg]

Lot off HTTP DDOS attacks coming same IP, so somekind protection of that would be creat1

Example random ATTACKS which cause High Load to server

185.159.36.11 - - [01/Feb/2017:18:44:56 +0200] "GET /store/admin9989 HTTP/1.1" 404 15161 
185.159.36.11 - - [01/Feb/2017:18:44:56 +0200] "GET /store/admin9992 HTTP/1.1" 404 15161 
185.159.36.11 - - [01/Feb/2017:18:44:55 +0200] "GET /store/admin9980 HTTP/1.1" 404 15165 
185.159.36.11 - - [01/Feb/2017:18:44:56 +0200] "GET /store/admin9997 HTTP/1.1" 404 15163 
185.159.36.11 - - [01/Feb/2017:18:44:56 +0200] "GET /store/admin9996 HTTP/1.1" 404 15163 
185.159.36.11 - - [01/Feb/2017:18:44:56 +0200] "GET /store/admin9998 HTTP/1.1" 404 15163 
185.159.36.11 - - [01/Feb/2017:18:44:56 +0200] "GET /store/admin9993 HTTP/1.1" 404 15167 
185.159.36.11 - - [01/Feb/2017:18:44:56 +0200] "GET /store/admin9999 HTTP/1.1" 404 15161 
185.159.36.11 - - [01/Feb/2017:18:44:56 +0200] "GET /store/admin9991 HTTP/1.1" 404 15163 
185.159.36.11 - - [01/Feb/2017:18:44:56 +0200] "GET /store/admin10000 HTTP/1.1" 404 15186

 

[LawsHosting]

That isn't really a DDoS attack, but an attack to scan for vulnerabilities in scripts.... Our logs are full of these every day..... If this halts the server, then optimisation is needed on Apache.

If it was a DDoS attack, you would really know about it.

 

[jwillberg]

Was sample only, but coming about 100-200 request per second and Server Load goes high like over 100. (with 16 Cores)

So somehow to RATE Limiting traffic to apache per IP. Now it not possible and if using iptables, it not working correct per customer domain:

/sbin/iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
/sbin/iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 3 --hitcount 20 -j DROP

So is there better solutions ?

 

[ViAdCk]

We are also seeing a lot of traffic like this.

What are the options to stop this kind of traffic?

 

[bluenet]

Was sample only, but coming about 100-200 request per second and Server Load goes high like over 100. (with 16 Cores)

So somehow to RATE Limiting traffic to apache per IP. Now it not possible and if using iptables, it not working correct per customer domain:

/sbin/iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
/sbin/iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 3 --hitcount 20 -j DROP

So is there better solutions ?

Uses CSF firewall that blocks attacks

 

[ben29]

better fail2ban for those requests.
just good regex for 404 in this file

 

[Richard G]

Why fail2ban?
There is nothing fail2ban can do which CSF can't, and CSF can do even more.

 

[ViAdCk]

Why fail2ban?
There is nothing fail2ban can do which CSF can't, and CSF can do even more.

Any idea on how to stop these attacks with csf? Thanks

 

[Richard G]

Try the portscan tracking options for example, CSF also has a PORTFLOOD = "" option.
There is even a tracking option to track 404 errors. That's LF_APACHE_404, however you have to take care with this setting because when set to low you can also block legal users who just land on a wrong page a couple of times, or especially search engines, who more often will encouter a 404 page.

And next to that you can also use regex to block on certain terms uses. I only don't know how to use or create regexp. I got one running which a friend of mine made and a couple which I found on this forum, but those are not for the issue you're having. But it's possible to create one I guess.

 

[ViAdCk]

Try the portscan tracking options for example, CSF also has a PORTFLOOD = "" option.
There is even a tracking option to track 404 errors. That's LF_APACHE_404, however you have to take care with this setting because when set to low you can also block legal users who just land on a wrong page a couple of times, or especially search engines, who more often will encouter a 404 page.

And next to that you can also use regex to block on certain terms uses. I only don't know how to use or create regexp. I got one running which a friend of mine made and a couple which I found on this forum, but those are not for the issue you're having. But it's possible to create one I guess.

Thanks Richard, I'm going to try out the LF_APACHE_404 option. We'll see how it works

 

[zEitEr]

Hello,

Consider migrating to nginx+apache, nginx can easily limit concurrent connections per IP with config optimization on Apache's side.

 

[Richard G]

Also this is possible with CSF firewall. See the "CT_LIMIT =" option. I forgot about that one before.