Skip to main content

Mass attack on multiple wordpress sites hundred of IP addresses used

Comments

5 comments

  • GoMummyHosting
    Hello, As you said the attack brought down your server in that case, you must enable hardware firewall with the help of DC to mitigate the attack. CSF/Cphulk/Modsec are the software firewalls which can protect you up to certain level. By optimizing apache/csf will help you too just tweak following parameters accordingly. ~~~~~~~~~~~~~~~ In Apache: MaxClients 150 Timeout 300 Minimum Spare Servers Maximum Spare Servers Max Request Workers ~~~~~~~~~~~~~~~ In CSF: TESTING = "0" SMTP_BLOCK = "0" SYNFLOOD = "0" SYNFLOOD_RATE = "100/s" SYNFLOOD_BURST = "150" CONNLIMIT = "" PORTFLOOD = "" CC_DENY = "" LF_SCRIPT_ALERT = "0" LF_DIRWATCH_DISABLE = "0" CT_LIMIT = "0" PT_ALL_USERS = "0" ~~~~~~~~~~~~~~~
    0
  • quietFinn
    There is an option in CSF, LF_APACHE_404, might be worth checking.
    0
  • rackaid
    I see these scans often. The log snippet you provided did not show the error code. Did these sites send true 404 errors? I've seen some WP plugins cause issues with 404's. They route the request into WP, which depending on the plugins, can cause performance issues. How were server loads during the attack? Did you check the Apache error log for notices about hitting MaxRequestWorkers? In some cases, simply providing more workers to Apache will mitigate the attack. Mod QoS I currently use use mod_qos to deal with these attacks when upstream solutions are not available. Mod_QoS has various rate-limiting rules that can be powerful when dealing with large botnet attacks, especially if they are hitting multiple sites at the same time. I used to have a blog post on this but I think we removed it as it was outdated. The option QS_LocRequestLimitMatch can be powerful when you see the same URLs on multiple sites. This option limits concurrent connections to the specified location on a per-IP basis. This is over the entire server, not just a single site. So for example: QS_LocRequestLimitMatch /xmlrpc.php 2 Would permit just 2 request/sec to xmlrpc.php. I have used these an similar rules to mitigate large bot nets. The trick is identifying the right rules for the type of attack. QS_LocRequestPerSecLimitMatch is another good rule that limits on rate rather than number of connections. More info on
    0
  • cPanelLauren
    mod_qos is a really good suggestion for this issue, it's on of the modules biggest assets and it's pretty configurable. [QUOTE]mod_qos may be used to determine which requests should be served and which shouldn't in order to avoid resource oversubscription. The module collects different attributes such as the request URL, HTTP request and response headers, the IP source address, country codes, the HTTP response code, history data (based on user session and source IP address), the number of concurrent requests to the server (total or requests having similar attributes), the number of concurrent TCP connections (total or from a single source IP), and so forth.
    The LF_APACHE_404 suggestion is also a good one to implement - the full description on that can be found here: # This option will keep track of the number of "File does not exist" errors in # HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL # seconds then the IP address will be blocked # # Care should be used with this option as it could generate many # false-positives, especially Search Bots (use csf.rignore to ignore such bots) # so only use this option if you know you are under this type of attack # # A sensible setting for this would be quite high, perhaps 200 # # To disable set to "0" LF_APACHE_404 = "0"
    mod_security can facilitate blocking some attacks like this but in order for mod_security to facilitate blocking this kind of issue you'd need to add some custom rulesets. It primarily is just DOS protection that it's able to provide as well - if it's a distributed attack it won't be able to be as effective. ModEvasive might also be an option, you can read about mod_evasive here: Apache Module: Evasive | cPanel & WHM Documentation
    0
  • ffeingol
    mod_qos is a really good suggestion for this issue, it's on of the modules biggest assets and it's pretty configurable.

    Sorry for digging up an old post, but I'm a bit confused. @cPanelLauren your recommending mod_qos, but as far as I can see, it's not supported in EasyApache???
    0

Please sign in to leave a comment.