http flooding / AI bots / DOS attacks

freakie

freakie

Verified User
Joined
Jan 16, 2006
Messages
87
Location
Apeldoorn, Netherlands
Hi,

I run a Licensed DirectAdmin server for some friends and family.

As everyone else, we also get HTTP floods, AI bots, bots that scan for specific versions of software of OS and or Website.

Does DirectAdmin have any protection against this?

Im thing about using abuseip database, perhaps using nginx_apache ?

Would that help or are there any suggestions ?

its getting out of hand, just like spam several years ago.
 
You can use CSF (for flood and rate limiting) along with additional blacklist (like abuseip) to reduce bad bots and IP address
Ssometimes blocking some countrys like CN/BR do help also
 
and those website are behind CDN like cloudflare too ? If this case, nginx ratelimits is good idea. But you need to customize by yourself.

if it your site, please config ratelimits at cloudflare side.
 
At this moment we experience bot attacks especially to phpBB forum software, there are countermeasures which will help, there is a complete topic about it on the phpbb.com forums.

Next to that since not too long, we experience attacks from Google Cloud LLC ip's, we got annoyed about the logs and just block all Google Cloud ip ranges. Next to the blocks which CSF also does for example on too many connections from 1 ip and blocklists like abuseipdb.
But they use loads of those ip's, so we blocked them all.
 
We try to filter as much as possible with csf and cloudflare but the past days have been terrible.

I'd say 90% of web traffic is pure garbage. Dead internet theory.
 
on Cloudflare, set ratelimits to 75request / 10sec, that should reduce some massive ddos from one-ip. For me I go with "120req/10s", because I already have ratelimits on nginx side, so it's fine for me.
 
Google Cloud IP abuse is off the charts lately. It's almost rivalling the amount of bad traffic I get from Digital Ocean.

I have a rule to pull the 100% guaranteed bad IPs from AbuseIPDB. I apply that at the firewall level. I block all xml-rpc.php and rate-limit wp-login.php.

I think we're going to need a good proof-of-work system since the current abuse I'm seeing is 1 request to a unique (and valid) URL from an IP, and then never see that IP again. I've been tracking a botnet and they can burn through 50k+ IP addresses a day with ease. Checking them, most do not show up on AbuseIPDB, so forcing the requests to be CPU expensive might be the only option.
 
Hi

I've wrote my own software to detect abusive behavior and redirects the IP to a captcha page.
The captcha page is very lightweight, very simple, I wrote it myself, so it does not cause a resource burden on our servers.
This way we don't block any IP.

Kr
Dries
 
You must log in or register to reply here.
Back
Top