Welcome to the GoFuckYourself.com - Adult Webmaster Forum forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact us. |
|
Discuss what's fucking going on, and which programs are best and worst. One-time "program" announcements from "established" webmasters are allowed. |
|
Thread Tools |
10-10-2014, 06:16 AM | #1 |
Confirmed User
Join Date: Sep 2003
Location: Chicago
Posts: 468
|
Server question..... Being hammered by POST
OK, so it seems I have some kinda bot blasting away at a domain name. Sending some kinda POST data to a page that doesn't even exist.
No matter what ip address I throw this domain on the bot starts hammering it almost immediately. 40-50 per second, from all kinda ip addresses. Just this one domain. We put 2 ips in into Null Routes and the server became responsive again.... Any idea how to deal with this? The domain seems like it's gonna be attacked no matter where I place it, my servers or some other host..... Support didn't feel a hardware firewall was gonna solve it either... Ugh
__________________
I have no sig...sigh |
10-10-2014, 06:26 AM | #2 |
Confirmed User
Industry Role:
Join Date: Jun 2003
Location: Near Tunguska
Posts: 135
|
I think, only way would be filtering IP's out and firewalling them till they stop bothering you.
Sounds tedious, but any other filtering method will involve web server processing those request anyway. Depending on what they are hammering and how smart those bots are (eat cookies, know javascript), it might be worth trying to redirect them to some other domain like msn.com via .htaccess ? Could lessen the load possibly if they hammer your PHP/SQL. Just brainstorming, hope it helps! |
10-10-2014, 09:47 AM | #3 |
Confirmed User
Industry Role:
Join Date: May 2005
Posts: 1,836
|
setup cloudflare once setup have yoru host change your IP...
|
10-10-2014, 10:27 AM | #4 |
Confirmed User
Industry Role:
Join Date: Aug 2014
Posts: 141
|
You can install a module to limit number of connexion by ip.
5 is a good limitation, a browser normaly can't open more than 5 connexion. http dominia.org/djao/limitipconn.html That limit the impact of this type attack. Fail2ban can help you too. If this 404 pages, you can add rule to block ip with too much 404 / min for example wich that help you |
10-10-2014, 10:52 AM | #5 |
Confirmed User
Industry Role:
Join Date: Jan 2013
Location: Nashville,TN. Music City U.S.A.
Posts: 2,248
|
Install CSF or some other IP Table firewall and ban IPs with more then a specified number of connections.
Install Mod_Security with OWASP rules set to block malicious requests. Get a so you start or ovh server and let their anti-dos network do the work for you.
__________________
Please HELP |
10-10-2014, 11:22 AM | #6 |
Confirmed User
Industry Role:
Join Date: Jun 2003
Location: Near Tunguska
Posts: 135
|
Cloud actually might help as well, but won't be cheap - this way you will spread the bot load across the multiple datacenters... not a bad idea.
Limiting connections per IP won't help unless thats a really dumb bot in which case just blocking it in firewall would have done the trick... |
10-10-2014, 12:04 PM | #7 |
Icq: 14420613
Industry Role:
Join Date: Mar 2001
Location: chicago
Posts: 15,404
|
if they are using random ips there is no cheap/easy way to block them.
cheapest way is to have enough hardware when it comes to the server to just serve up the 404 pages that they hitting. tuning the webserver so the requests dont slow your site down should not be hard for any decent tech.
__________________
Need WebHosting ? Email me for some great deals [email protected] |
10-10-2014, 12:13 PM | #8 | |
Confirmed User
Industry Role:
Join Date: Jun 2003
Location: Near Tunguska
Posts: 135
|
Quote:
|
|
10-10-2014, 02:49 PM | #9 |
Confirmed User
Industry Role:
Join Date: Dec 2012
Posts: 283
|
Try cloudflare. It can block known bad ips before they hit your server.
|
10-11-2014, 03:35 AM | #10 |
Confirmed User
Join Date: Sep 2003
Location: Chicago
Posts: 468
|
Tossed that domain unto a new host just to see what might happen,
knowing full well what probably would. Got a warning email around 2am that there appeared to be an attack, requests to the domain are being suspended. Same POST requests of some sort toward a page that does not exists, actually i never got to upload any pages to the new setup. Bunches and bunches of different ips from many locations doing the deed. Just like I thought it would be.....
__________________
I have no sig...sigh |
10-11-2014, 04:58 AM | #11 |
It's 42
Industry Role:
Join Date: Jun 2010
Location: Global
Posts: 18,083
|
|
10-11-2014, 05:32 AM | #12 |
Confirmed User
Industry Role:
Join Date: Jan 2012
Location: NC
Posts: 7,681
|
cloudflare or nginx
__________________
SSD Cloud Server, VPS Server, Simple Cloud Hosting | DigitalOcean
|
10-11-2014, 06:09 PM | #13 |
Confirmed User
Industry Role:
Join Date: May 2008
Location: USA
Posts: 692
|
hey I have a Cisco ASA that will do packet inspection and block POST or whatever you can find a ASA5200 for a few grand on ebay
Before that I used IPTABLES sort of a poormans packet inspection, heres an example: iptables -A INPUT -p tcp --dport 80 -i eth0 -j HTTP_FILTER iptables -A HTTP_FILTER -j DROP -m string --from 30 --to 60 --algo bm --string 'POST ' this is kinda rudimentry and you need to keep it stateless - I had troubles with CONNTRACK if it wasn't stateless |
10-12-2014, 02:16 AM | #14 |
So Fucking Banned
Join Date: Jul 2006
Posts: 342
|
had the same type of attacks,poor man solution csf combined with cloudflare helped me a lot ,
finding good settings for csf is important , if that wont work maybe go for the more advanced methods mentioned in here |
10-12-2014, 02:21 AM | #15 |
Confirmed User
Industry Role:
Join Date: May 2002
Location: Toronto
Posts: 8,478
|
Lester from DOD?
|