Server question..... Being hammered by POST

[Lester]

OK, so it seems I have some kinda bot blasting away at a domain name. Sending some kinda POST data to a page that doesn't even exist.

No matter what ip address I throw this domain on the bot starts hammering it almost immediately. 40-50 per second, from all kinda ip addresses. Just this one domain.

We put 2 ips in into Null Routes and the server became responsive again....

Any idea how to deal with this?

The domain seems like it's gonna be attacked no matter where I place it, my servers or some other host..... Support didn't feel a hardware firewall was gonna solve it either...

Ugh

[dichotomy]

I think, only way would be filtering IP's out and firewalling them till they stop bothering you.

Sounds tedious, but any other filtering method will involve web server processing those request anyway.

Depending on what they are hammering and how smart those bots are (eat cookies, know javascript), it might be worth trying to redirect them to some other domain like msn.com via .htaccess ? Could lessen the load possibly if they hammer your PHP/SQL.

Just brainstorming, hope it helps!

[PAR]

setup cloudflare once setup have yoru host change your IP...

[pinkmasterx]

You can install a module to limit number of connexion by ip.
5 is a good limitation, a browser normaly can't open more than 5 connexion.
http dominia.org/djao/limitipconn.html

That limit the impact of this type attack.
Fail2ban can help you too.
If this 404 pages, you can add rule to block ip with too much 404 / min for example

wich that help you

[WDF]

Install CSF or some other IP Table firewall and ban IPs with more then a specified number of connections.

Install Mod_Security with OWASP rules set to block malicious requests.

Get a so you start or ovh server and let their anti-dos network do the work for you.

[dichotomy]

Cloud actually might help as well, but won't be cheap - this way you will spread the bot load across the multiple datacenters... not a bad idea.

Limiting connections per IP won't help unless thats a really dumb bot in which case just blocking it in firewall would have done the trick...

[sandman!]

if they are using random ips there is no cheap/easy way to block them.

cheapest way is to have enough hardware when it comes to the server to just serve up the 404 pages that they hitting.

tuning the webserver so the requests dont slow your site down should not be hard for any decent tech.

[dichotomy]

Quote:

Originally Posted by sandman!

if they are using random ips there is no cheap/easy way to block them.

cheapest way is to have enough hardware when it comes to the server to just serve up the 404 pages that they hitting.

tuning the webserver so the requests dont slow your site down should not be hard for any decent tech.

Amen. You can try and get nginx up before as http proxy - that can lower loads A LOT.

[PeR930]

Try cloudflare. It can block known bad ips before they hit your server.

[Lester]

Tossed that domain unto a new host just to see what might happen,
knowing full well what probably would.

Got a warning email around 2am that there appeared to be an attack, requests to the domain are being suspended.

Same POST requests of some sort toward a page that does not exists, actually i never got to upload any pages to the new setup.

Bunches and bunches of different ips from many locations doing the deed.


Just like I thought it would be.....

[Barry-xlovecam]

http://perishablepress.com/protect-post-requests/

[freecartoonporn]

cloudflare or nginx

[buyandsell]

hey I have a Cisco ASA that will do packet inspection and block POST or whatever you can find a ASA5200 for a few grand on ebay

Before that I used IPTABLES sort of a poormans packet inspection, heres an example:

iptables -A INPUT -p tcp --dport 80 -i eth0 -j HTTP_FILTER
iptables -A HTTP_FILTER -j DROP -m string --from 30 --to 60 --algo bm --string 'POST '

this is kinda rudimentry and you need to keep it stateless - I had troubles with CONNTRACK if it wasn't stateless

[jimmycastor]

had the same type of attacks,poor man solution csf combined with cloudflare helped me a lot ,
finding good settings for csf is important , if that wont work maybe go for the more advanced methods mentioned in here

[Socks]

Lester from DOD?

[BradBreakfast]

We can solve this for you easily.

E-mail me to discuss.