IP spoofing DoS attack

[Strator]

Hi all,

It seems like one of my websites is currently subject to a DoS attack with spoofed different IP addresses, so it wasn't caught by the DA firewall. Took the site offline now and was wondering what to do next. Can any of the DirectAdmin tools be tweaked to block this so the site can be brought back online, or do I need to sit it out?

Thanks!

 

[ericosman]

I'm fond of OPSSHIELD for this, since i took it, i have no issues with attacks anymore *till now*
But it does cost money.

 

[ccto]

May you tell more about "spoofed IP addresses" and website?

Or share/post some log (mask out some domain name, part of IP) to have a look?

From my understanding, as website shall be using TCP port 80 or 443, they are TCP, and the IP shall not be spoofed.

Thank you.

 

[Ohm J]

It's not spoof. It's real IPs using Tor network.

Since there have a lot of the same question, so you might found some solution to tuning csf firewall.

 

[Strator]

Yeah I guess that's what I've figured out by now - it's not spoofed. As there were a lot of Brazilian IPs I looked into geoblocking via CSF (also managed to set it up by turning on IPset), but too much of Argentine, Ecuador, Congo, Jordan and Uzbekistan in the mix, so I still didn't get much further, especially since CSF is blocking globally (so I'd be switching from a website I've shut down to shutting down ALL websites to possibly dozens of countries). Log snippet below.

178.176.176.71 - - [23/Feb/2025:11:52:20 +0000] "GET /forums/viewforum.php?f=12&sid=22c7c336cb99b35636e37730c967089e&start=100 HTTP/1.0" 404 1031 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Brave Chrome/79.0.3945.88 Safari/537.36"
94.43.1.140 - - [23/Feb/2025:11:52:20 +0000] "GET /forums/memberlist.php?mode=viewprofile&sid=2bc3578d8a39d864101c217e8c61cf2f&u=25803 HTTP/1.0" 404 1031 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4450.0 Safari/537.36"
170.81.201.155 - - [23/Feb/2025:11:52:20 +0000] "GET /forums/memberlist.php?mode=viewprofile&sid=329b4ee26363851533286126c4a6aaa6&u=25548 HTTP/1.0" 404 1031 "-" "Mozilla/5.0 (Windows NT 6.1; ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36"
177.156.219.198 - - [23/Feb/2025:11:52:20 +0000] "GET /forums/index.php?sid=b554729baf7014504a1817d8f6555448 HTTP/1.0" 404 1031 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36"
187.86.73.74 - - [23/Feb/2025:11:52:20 +0000] "GET /forums/viewtopic.php?f=2&sid=99ad5726776b13dbe193753cbe9f6b27&t=13224 HTTP/1.0" 404 1031 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36"
185.103.20.243 - - [23/Feb/2025:11:52:20 +0000] "GET /forums/viewtopic.php?f=12&sid=d7d7fd2688666a45e3cbe5afd0c68243&t=10951 HTTP/1.0" 404 1031 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/524.34"
177.37.177.20 - - [23/Feb/2025:11:52:20 +0000] "GET /forums/viewtopic.php?f=12&sid=3ccdac4c82cff0f14f8f4a2fe3f488ea&t=10951 HTTP/1.0" 404 1031 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36"
105.71.19.191 - - [23/Feb/2025:11:52:20 +0000] "GET /forums/posting.php?f=10&mode=reply&sid=402379c0503dd2926cb35cb79f90d685&t=5851 HTTP/1.0" 404 1031 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36"
102.217.64.46 - - [23/Feb/2025:11:52:21 +0000] "GET /forums/viewtopic.php?p=26056&sid=56ae1e958512d00198fb6278ff8f1836 HTTP/1.0" 404 1031 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36"
187.62.242.161 - - [23/Feb/2025:11:52:21 +0000] "GET /forums/viewtopic.php?p=26056&sid=0b70664f88a35fa22a97cc7261b6d974 HTTP/1.0" 404 1031 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36"
170.231.153.248 - - [23/Feb/2025:11:52:21 +0000] "GET /forums/feed?sid=3f51bc1ea6b368987913464049f3eddf HTTP/1.0" 404 1031 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Brave Chrome/78.0.3904.108 Safari/537.36"
170.84.145.215 - - [23/Feb/2025:11:52:21 +0000] "GET /forums/feed?sid=f4d1fb9abc374f6b42ebf9a70143eb3c HTTP/1.0" 404 1031 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Brave Chrome/78.0.3904.108 Safari/537.36"
181.174.255.200 - - [23/Feb/2025:11:52:21 +0000] "GET /forums/viewtopic.php?p=26056&sid=94a1ae16fc940cb398ac7edc4688b3b4 HTTP/1.0" 404 1031 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
103.23.206.106 - - [23/Feb/2025:11:52:21 +0000] "GET /forums/viewtopic.php?f=11&sid=742c67c535632d09c3ee9dd79f08dc52&t=11929 HTTP/1.0" 404 1031 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36"
170.0.238.170 - - [23/Feb/2025:11:52:21 +0000] "GET /forums/viewtopic.php?f=12&sid=538f70de010c33f31833d62410157e40&t=13299 HTTP/1.0" 404 1031 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36"
187.45.75.21 - - [23/Feb/2025:11:52:21 +0000] "GET /forums/ucp.php?mode=login&redirect=viewtopic.php?f=4&sid=5cad6debb4d735978341f8d4375942c1&t=13308 HTTP/1.0" 404 1031 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"

 

[LawsHosting]

If the site is important, maybe invest in blocked.com script, you can block proxies, tor, etc.

 

[Strator]

If the site is important, maybe invest in blocked.com script, you can block proxies, tor, etc.

In the end it's something that goes beyond one individual site. I've been self-hosting for over 20 years now and have yet to see something as obnoxious as this. If I pay 299 today to save one site, what is if the next site is attacked tomorrow? So I guess I'm looking for a solution that is more... sustainable.

On a related note... is anyone using the Comodo WAF Plugin? I do, but when I click on the plugin icon, all I get is a line sayng "Comodo WAF 2.24.5" - the page itself doesn't load.

 

[ericosman]

Like i mentioned in my previous post, use a tool like OPSSHIELD costs like maximum 10 usd a month per server (or 5.5 usd if 50 users or less)

 

[Strator]

Like i mentioned in my previous post, use a tool like OPSSHIELD costs like maximum 10 usd a month per server (or 5.5 usd if 50 users or less)

It's on my list and pretty close to the top (since they offer a free trial) - but after noticing the issue with Comodo WAF (see above), looking into that should be the next logical step.

Btw. for what it's worth, it seems like the storm is over (for now).