Server question..... Being hammered by POST

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Lester
    Confirmed User
    • Sep 2003
    • 468

    #1

    Server question..... Being hammered by POST

    OK, so it seems I have some kinda bot blasting away at a domain name. Sending some kinda POST data to a page that doesn't even exist.

    No matter what ip address I throw this domain on the bot starts hammering it almost immediately. 40-50 per second, from all kinda ip addresses. Just this one domain.

    We put 2 ips in into Null Routes and the server became responsive again....

    Any idea how to deal with this?

    The domain seems like it's gonna be attacked no matter where I place it, my servers or some other host..... Support didn't feel a hardware firewall was gonna solve it either...

    Ugh
    I have no sig...sigh
  • dichotomy
    Confirmed User
    • Jun 2003
    • 135

    #2
    I think, only way would be filtering IP's out and firewalling them till they stop bothering you.

    Sounds tedious, but any other filtering method will involve web server processing those request anyway.

    Depending on what they are hammering and how smart those bots are (eat cookies, know javascript), it might be worth trying to redirect them to some other domain like msn.com via .htaccess ? Could lessen the load possibly if they hammer your PHP/SQL.

    Just brainstorming, hope it helps!
    #_
    https://se.marketing/

    Comment

    • PAR
      Confirmed User
      • May 2005
      • 1835

      #3
      setup cloudflare once setup have yoru host change your IP...

      Comment

      • pinkmasterx
        Confirmed User
        • Aug 2014
        • 141

        #4
        You can install a module to limit number of connexion by ip.
        5 is a good limitation, a browser normaly can't open more than 5 connexion.
        http dominia.org/djao/limitipconn.html

        That limit the impact of this type attack.
        Fail2ban can help you too.
        If this 404 pages, you can add rule to block ip with too much 404 / min for example

        wich that help you
        Adult web agency : http://www.pinkmasterx.com
        Hosting : http://www.sos-hebergement.com
        Vps in New york, Paris, Amsterdam
        Video Encoding : http://www.pinkencode.com

        Comment

        • WDF
          Confirmed User
          • Jan 2013
          • 2248

          #5
          Install CSF or some other IP Table firewall and ban IPs with more then a specified number of connections.

          Install Mod_Security with OWASP rules set to block malicious requests.

          Get a so you start or ovh server and let their anti-dos network do the work for you.
          Please HELP

          Comment

          • dichotomy
            Confirmed User
            • Jun 2003
            • 135

            #6
            Cloud actually might help as well, but won't be cheap - this way you will spread the bot load across the multiple datacenters... not a bad idea.

            Limiting connections per IP won't help unless thats a really dumb bot in which case just blocking it in firewall would have done the trick...
            #_
            https://se.marketing/

            Comment

            • sandman!
              Icq: 14420613
              • Mar 2001
              • 15431

              #7
              if they are using random ips there is no cheap/easy way to block them.

              cheapest way is to have enough hardware when it comes to the server to just serve up the 404 pages that they hitting.

              tuning the webserver so the requests dont slow your site down should not be hard for any decent tech.
              Need WebHosting ? Email me for some great deals [email protected]

              Comment

              • dichotomy
                Confirmed User
                • Jun 2003
                • 135

                #8
                Originally posted by sandman!
                if they are using random ips there is no cheap/easy way to block them.

                cheapest way is to have enough hardware when it comes to the server to just serve up the 404 pages that they hitting.

                tuning the webserver so the requests dont slow your site down should not be hard for any decent tech.
                Amen. You can try and get nginx up before as http proxy - that can lower loads A LOT.
                #_
                https://se.marketing/

                Comment

                • PeR930
                  Confirmed User
                  • Dec 2012
                  • 283

                  #9
                  Try cloudflare. It can block known bad ips before they hit your server.

                  Comment

                  • Lester
                    Confirmed User
                    • Sep 2003
                    • 468

                    #10
                    Tossed that domain unto a new host just to see what might happen,
                    knowing full well what probably would.

                    Got a warning email around 2am that there appeared to be an attack, requests to the domain are being suspended.

                    Same POST requests of some sort toward a page that does not exists, actually i never got to upload any pages to the new setup.

                    Bunches and bunches of different ips from many locations doing the deed.


                    Just like I thought it would be.....
                    I have no sig...sigh

                    Comment

                    • Barry-xlovecam
                      It's 42
                      • Jun 2010
                      • 18083

                      #11
                      http://perishablepress.com/protect-post-requests/

                      Comment

                      • freecartoonporn
                        Confirmed User
                        • Jan 2012
                        • 7683

                        #12
                        cloudflare or nginx
                        SSD Cloud Server, VPS Server, Simple Cloud Hosting | DigitalOcean

                        Comment

                        • buyandsell
                          Confirmed User
                          • May 2008
                          • 692

                          #13
                          hey I have a Cisco ASA that will do packet inspection and block POST or whatever you can find a ASA5200 for a few grand on ebay

                          Before that I used IPTABLES sort of a poormans packet inspection, heres an example:

                          iptables -A INPUT -p tcp --dport 80 -i eth0 -j HTTP_FILTER
                          iptables -A HTTP_FILTER -j DROP -m string --from 30 --to 60 --algo bm --string 'POST '

                          this is kinda rudimentry and you need to keep it stateless - I had troubles with CONNTRACK if it wasn't stateless

                          Comment

                          • jimmycastor
                            So Fucking Banned
                            • Jul 2006
                            • 342

                            #14
                            had the same type of attacks,poor man solution csf combined with cloudflare helped me a lot ,
                            finding good settings for csf is important , if that wont work maybe go for the more advanced methods mentioned in here
                            Last edited by jimmycastor; 10-12-2014, 01:21 AM.

                            Comment

                            • Socks
                              Confirmed User
                              • May 2002
                              • 8475

                              #15
                              Lester from DOD?

                              Comment

                              • BradBreakfast
                                Confirmed User
                                • Feb 2008
                                • 415

                                #16
                                We can solve this for you easily.

                                E-mail me to discuss.

                                GetClicky - The World's Most Advanced Real Time Ajax-based Analytics

                                Comment

                                Working...