View previous topic :: View next topic |
Author |
Message |
Joseph_sys Advocate
Joined: 08 Jun 2004 Posts: 2716 Location: Edmonton, AB
|
Posted: Wed Jan 15, 2025 7:02 pm Post subject: apache - preventing ddos attack |
|
|
I am trying to implementing some basic measure in apache for "ddos" attack.
Checking via chatgpt, it recommends
1. Limit Connections by IP (mod_evasive) - but this mod_evasive is not available anymore.
2. Limit the Number of Connections with mod_qos - but "app-arch/mod_qos" is not available either
3. Limit Request Rate with mod_ratelimit - but "www-apache/mod_ratelimit" is not found
Any suggestion? |
|
Back to top |
|
|
grknight Retired Dev
Joined: 20 Feb 2015 Posts: 1991
|
Posted: Wed Jan 15, 2025 7:25 pm Post subject: |
|
|
#3 is available via package.use as: www-servers/apache apache2_modules_ratelimit |
|
Back to top |
|
|
s0ulslack1 n00b
Joined: 06 Mar 2022 Posts: 26
|
Posted: Wed Jan 15, 2025 8:04 pm Post subject: |
|
|
First, stop using that garbage chatgpt. You're gonna have to read some broh.
Second, google "hardening apache against denial of service attacks".
Third, you eix-foo is weak. www-apache/mod_qos |
|
Back to top |
|
|
gentoo_ram Guru
Joined: 25 Oct 2007 Posts: 511 Location: San Diego, California USA
|
Posted: Wed Jan 15, 2025 9:04 pm Post subject: |
|
|
What, exactly, are you trying to prevent? I've noticed a ton of TCP connections sitting in SYN-RECV state for ports 80 and 443 on my machine. Nothing you do to apache is going to help with this because the kernel won't notify apache of a new connection until the initial TCP handshake is complete. I noticed a bunch of half-open connections coming from different hosts on the same IPv4 /24 subnet.
Instead, I wrote my own monitoring script to deal with that DDoS attack for half-open sockets. It opens /proc/net/tcp6 and looks through the TCP connection list for sockets in state "03". If there are more than 4 half-open connections from the same /24 subnet, it adds a rule to my 'iptables' firewall to block that whole subnet. Then, 4 hours later, removes the rule it added. This seems to be pretty effective at killing off these crazy connections.
If you aren't dealing with half-open connections then you can use a script to read the apache error log and look for the types of connections you are interested in blocking. |
|
Back to top |
|
|
Joseph_sys Advocate
Joined: 08 Jun 2004 Posts: 2716 Location: Edmonton, AB
|
Posted: Wed Jan 15, 2025 9:34 pm Post subject: |
|
|
I had a hacker from IP: 108.181.90.174 who was scanning my server for non existing files, scanning 5-13 times/second,
here is a sample:
Code: | 108.181.90.174 - - [14/Jan/2025:08:56:52 -0700] "GET /advanced_search.php?categories_id=2¤cy=USD&dfrom=mm/dd/yyyy&dto=mm/dd/yyyy&inc_subcat=1&language=en&manufacturers_id=1&pfrom=1&pto=1&search_in_description=1 HTTP/1.1" 200 33896
108.181.90.174 - - [14/Jan/2025:08:56:52 -0700] "GET /products_new.php?action=-1%20OR%202%2B980-980-1=0%2B0%2B0%2B1%20--%20¤cy=USD&language=en&products_id=372 HTTP/1.1" 200 35619
108.181.90.174 - - [14/Jan/2025:08:56:52 -0700] "GET /product_reviews.php?currency=USD&products_id=364&reviews_id=153XduQLtdw')%20OR%20497=(SELECT%20497%20FROM%20PG_SLEEP(15))-- HTTP/1.1" 200 37389
108.181.90.174 - - [14/Jan/2025:08:56:52 -0700] "GET /products_new.php?action=-1%20OR%203%2B980-980-1=0%2B0%2B0%2B1%20--%20¤cy=USD&language=en&products_id=372 HTTP/1.1" 200 35623
108.181.90.174 - - [14/Jan/2025:08:56:52 -0700] "GET /product_reviews_write.php?language=en'%7C%7CDBMS_PIPE.RECEIVE_MESSAGE(CHR(98)%7C%7CCHR(98)%7C%7CCHR(98)%2C15)%7C%7C'&page=2&products_id=364&reviews_id=153 HTTP/1.1" 302 -
108.181.90.174 - - [14/Jan/2025:08:56:52 -0700] "GET /products_new.php?action=-1%20OR%202%2B699-699-1=0%2B0%2B0%2B1¤cy=USD&language=en&products_id=372 HTTP/1.1" 200 35564
108.181.90.174 - - [14/Jan/2025:08:56:52 -0700] "GET /product_reviews_write.php?language=en&page=2&products_id=364&reviews_id=153 HTTP/1.1" 302 -
108.181.90.174 - - [14/Jan/2025:08:56:52 -0700] "GET /product_reviews_info.php?action=buy_nowyxxmlId3';%20waitfor%20delay%20'0:0:15'%20--%20¤cy=USD&language=en&products_id=364&reviews_id=153 HTTP/1.1" 200 28677
108.181.90.174 - - [14/Jan/2025:08:56:52 -0700] "GET /products_new.php?action=-1%20OR%203%2B699-699-1=0%2B0%2B0%2B1¤cy=USD&language=en&products_id=372 HTTP/1.1" 200 35564
108.181.90.174 - - [14/Jan/2025:08:56:52 -0700] "GET /product_reviews_write.php?language=en'\"&page=2&products_id=364&reviews_id=153 HTTP/1.1" 302 -
108.181.90.174 - - [14/Jan/2025:08:56:52 -0700] "GET /advanced_search.php?categories_id=2¤cy=USD&dfrom=mm/dd/yyyy&dto=mm/dd/yyyy&inc_subcat=1&keywords=the&manufacturers_id=1&pfrom=1&pto=1'%7C%7CDBMS_PIPE.RECEIVE_MESSAGE(CHR(98)%7C%7CCHR(98)%7C%7CCHR(98)%2C15)%7C%7C' HTTP/1.1" 200 34067
108.181.90.174 - - [14/Jan/2025:08:56:52 -0700] "GET /product_reviews_write.php?language=en%C0%A7%C0%A2%252527%252522%5C'%5C\"&page=2&products_id=364&reviews_id=153 HTTP/1.1" 302 -
108.181.90.174 - - [14/Jan/2025:08:56:52 -0700] "GET /products_new.php?action=-1'%20OR%202%2B748-748-1=0%2B0%2B0%2B1%20- |
This was going on for over 1.5hr and eventually my apache log file became 4MB in size and server locked up (apache wasn't responding).
via htaccess I blocked: 108.181.90.0/23
but I would like to implement a solution via apache, if a user try to search the server like this, is to block the connection.
[Administrator edit: changed [list] tags to [code] tags to preserve output layout. -Hu] |
|
Back to top |
|
|
gentoo_ram Guru
Joined: 25 Oct 2007 Posts: 511 Location: San Diego, California USA
|
Posted: Wed Jan 15, 2025 10:33 pm Post subject: |
|
|
I guess your use case is a little different than mine because it appears that the remote host is accessing services that your web server is actually providing but doing so in a way that's messing with your server performance. In my case I'm seeing goofy network-level attacks and attempts to access CGI scripts and other services my server doesn't provide.
My approach would be to write scripts to read the apache access and/or error logs to look for patters of access you'd like to block and then add firewall rules to block those hosts and/or networks. |
|
Back to top |
|
|
|