How to defend against GET and POST attacks?
Hello,
I am seeing this in the logs of my server, running WHM 11.46.0 (build 14) on CentOS 6.6, Apache+MySQL (5.5.40) (without ModSecurity right now). I have CSF enabled.
Enable modules:
bwlimited + bw_+ cloudflare_+ ruid2_ + php5 + reqtimeout_ + pagespeed with usual requirements for WordPress.
How do you block this attack? Though the above logs shows GET request only, I've also seen POST requests in the logs. All from different IP address. CSF is not picking up the attack due to large different IP and slow attack rate, but it is exhausting my servers resources quickly. Any idea how this can be achieved? Any help/suggestions are appreciated. Regards,
120.174.97.2 - - [14/Nov/2014:02:22:48 +0100] "GET /?0Nge=XVlqFWYs2vciua HTTP/1.1" 200 14097 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_1_1) Gecko/20051207 Firefox/11.0"
120.174.97.3 - - [14/Nov/2014:02:22:48 +0100] "GET /?KP7Ue=00Oi202DUtt324&2g8=siID&ekrAyQuHHp=51IaLuKdvTkKVE HTTP/1.1" 200 14152 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_3_2) Gecko/20091405 Firefox/20.0"
120.174.97.4 - - [14/Nov/2014:02:22:48 +0100] "GET /?FH5VROBx=wCPRiMOw7FliIpv&8mo8o=mhfx231Y8Re HTTP/1.1" 200 14130 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) Gecko/20011708 Firefox/13.0"
120.174.97.5 - - [14/Nov/2014:02:22:48 +0100] "GET /?lk5k=vyB3vc0gcCnXnY&7pxqt0Mn=Oi7PBoT&j37W=cqKYEsoskSffwQ5&j6i8E=MjmYe HTTP/1.1" 200 14177 "http://www.yandex.com/2jvFA7mlMl?4nD=mUwl1&8AC=Fny2ol4bsQ&4sJPcw=bHdSQIMBwF8" "Mozilla/5.0 (Linux x86_64; X11) Gecko/20032806 Firefox/21.0"
120.174.97.6 - - [14/Nov/2014:02:22:48 +0100] "GET /?4nBbx=A3wo6QHgDhkxGHoCP&F661Cjrdq=5Gc5c4bAtOa2eHG8BYME HTTP/1.1" 200 14145 "http://www.bing.com/lDM2x7" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_7_4) Gecko/20063109 Firefox/17.0"
120.174.97.7 - - [14/Nov/2014:02:22:48 +0100] "GET /?jeluv=ikqsqFiE8UU8Wun1&b1eoi=PQXLo1RnjnHU2&xljC=VmnnL3gJTiwRW0q2FCAs&wWR8xOp=pTw&oIel=tutSwEfcN0G77 HTTP/1.1" 200 11499 "-" "Mozilla/5.0 (compatible; MSIE 6.1; Linux i386; Trident/4.0; X11)"
120.174.97.8 - - [14/Nov/2014:02:22:48 +0100] "GET /?PWA=sDsWlD66oTp888&bXaWu6XPM=mxeGP7FPUbKwqQ8&pk05aq=KBG2GaLpsJq5KeS8x HTTP/1.1" 200 11469 "http://www.bing.com/HXWt0Rw?3s7L6h=l0h8oOoxlHGf2y2i&RWl=fqmGoRjqejj&HV4Rgtupj=IiALPfNUueGhFFFElv&SSb=WBrqb2kkyuYIuuTlQ8&x23fK0O=VbaR&EtiQRLkcT=rrocq0436jBvWdI34K3&5wMF=pRe2DIQyIYdMKc2JY7W&Ij2vn=gtPHEn&3Uf=2FxeqL&Aa4j=RqGIaypXbbp" "Mozilla/5.0 (compatible; MSIE 6.1; Linux i386; .NET CLR 1.3.22475; X11)"
120.174.97.9 - - [14/Nov/2014:02:22:48 +0100] "GET /?NExOFIqNAG=CdRHqqccwLPj&LN1Qct=fc80yxrQ&1f333UOK7b=2FyHDBtRX&kPURRV0=7XPjXFOacKRohyWV1 HTTP/1.1" 200 14201 "-" "Mozilla/5.0 (Linux i386; X11) AppleWebKit/536.19 (KHTML, like Gecko) Version/5.1.0 Safari/536.29"
How do you block this attack? Though the above logs shows GET request only, I've also seen POST requests in the logs. All from different IP address. CSF is not picking up the attack due to large different IP and slow attack rate, but it is exhausting my servers resources quickly. Any idea how this can be achieved? Any help/suggestions are appreciated. Regards,
-
enable modsec and get the atomic (paid) rules installed. Also enable ipset and all the CSF blocklists ..as they block 10's of thousands of known attackers (with IPSET enabled in CSF it's not a problem blocking 10s or hundred of thousands of IPs) 0 -
Thanks for your response qwerty. Yes, of course you can get paid atomic rules or free Comodo WAF to defend against these types of attacks. Unfortunately, these IP's were not in a known blacklist/bogon, so conventional blocklists were quite useless. My dirty fix seems to work better and without the overhead of massive ModSec rules. 77.19.65.35 - - [05/Dec/2014:12:25:51 +1100] "GET /?gynqBT=UM7QkyDVXHsEc2ceS&Jwod1oCrH=qQlnGT1wp&L1r8a0=tqOa5W5qoYVGQhdh&ajGU4oU=06NeOO6b2H2FSbyrXnJT HTTP/1.1" 301 195 "-" "Mozilla/5.0 (Windows; U; MSIE 6.1; Windows NT 6.3; .NET CLR 2.3.17605; WOW64)" 77.19.65.36 - - [05/Dec/2014:12:25:51 +1100] "GET /?pArXJOGnYs=ttdbDRRTkGH&Uxjy=d0XIBQujmPjJ8up HTTP/1.1" 301 195 "http://www.yandex.com/tyM6d?M7KAn8tL=ck24XlpA8XQt&K270qe=yfuX2YtYu3sdToJd7nd" "Mozilla/5.0 (Windows; U; MSIE 9.0; Linux i386; .NET CLR 2.0.5113; X11)" 77.19.65.37 - - [05/Dec/2014:12:25:51 +1100] "GET /?cFP7lHLxC=8UPl4yyUVJCPsxlYi&xvs2YQ4kPu=vJOsra&y6k2MujvNy=SA8eVdFgB5mBngW&FRpm=AtOAsn5C HTTP/1.1" 301 195 "http://www.google.com/DnylnB" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_0_2) AppleWebKit/537.20 (KHTML, like Gecko) Chrome/10.0.1522.27 Safari/535.1" 77.19.65.38 - - [05/Dec/2014:12:25:51 +1100] "GET /?C2c3Clssjj=gUep0J4W7jleFlxjpf&Y4Vn=vjedaA2PrH5fhUIM2dVy HTTP/1.1" 301 195 "http://www.baidu.com/Nkpl3?OkCa1J=2iuth&exnhyYEb5=5nPCKK7U4s1IcBXOFm&SM8myEnmq=k7APeETd5oBeUSLUJ&SwYDmD33=MliFgJk1Nxr3d4KKmQ&17bSdB=NdDBFNb8lrdt" "Mozilla/5.0 (Windows; U; MSIE 10.0; Windows NT 6.3; .NET CLR 3.5.24615; Win64; x64)" 77.19.65.39 - - [05/Dec/2014:12:25:51 +1100] "GET /?arxbROdDhH=FAbe3VlWhqcUnVIC&Xbi7G=txKEd3L3rRuw6LuO80T&T2oymH0=ovt HTTP/1.1" 301 195 "-" "Mozilla/5.0 (Windows; U; MSIE 9.0; Linux i386; .NET CLR 1.4.24122; X11)" 77.19.65.40 - - [05/Dec/2014:12:25:51 +1100] "GET /?44C=pa0U0ISSO4h0fciOyBN&DlRcJI6I=2U1O7DWgof&dcv=83PxLbKH&RbA=6goFw6JWBuH2VMfr&AbgL=5u4jsp70 HTTP/1.1" 301 195 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_8_0) Gecko/20021008 Firefox/11.0" 77.19.65.41 - - [05/Dec/2014:12:25:51 +1100] "GET /?K6HfewjI=KFwfklm8ORE&OGaCQXWmh=mK0by5Ei1g&D2KjAA=MeDst77J&YEBfaBR=BrYRUAq341b HTTP/1.1" 301 195 "http://www.google.com/JPjcN?807=XehfHOAmoSy&FxABniE6qn=Jsl4VhKsHDeYI" "Mozilla/5.0 (Windows; U; MSIE 10.0; Windows NT 6.3; .NET CLR 3.5.24615; Win64; x64)"0
Please sign in to leave a comment.
Comments
2 comments