Blocking httpd floods
Hi,
I'm having an issue where one site on the server is being constantly flooded with httpd requests from ranges of IPs. Typically there might be 40 or 50 concurrent requests from 15 or 20 consecutive IP addresses from some random European hosting company. I do use CSF but I can't use the CT_Limit section to help with this, because it's distributed. If I set the limit low enough to catch any individual IP, I'm bound to get false positives. It would be ideal if CSF was only looking at the first 3 octets... that would be close enough :-)
Any suggestions? It is just one site, and mostly all attacks from one region. I suppose I could try blocking a geo region in an htaccess file, so it's not effecting the entire server.
-
You can block an IP range via your CSF firewall, If you need to whitelist or block a range of IP addresses using CSF, it can be done, but you need to use the CIDR format. For example, to block 192.168.0.0 to 192.168.0.255 you would add 192.168.0.0/24 to the blocked list. If you are unsure how to convert a range of IP"s to CIDR, I find the following site helpful. You enter the starting IP, and ending IP, and it will create the CIDR entries for you. ip2cidr.com 0 -
Thanks Muhammed. I know (and do) that... it's identifying the ranges programatically that would be nice. Monitoring logs and then manually blocking them is like playing 'whack a mole'. 0 -
I do use CSF but I can't use the CT_Limit section to help with this, because it's distributed.
You should use this. It will help.0 -
You should use this. It will help.
I guess what I'm concerned about, is that I currently have it set to 300, which is the recommended value. These floods are being distributed across ranges of IP addresses. I would have to set the value to somewhere in the neighbourhood of 40 or 50 to catch any of the individual addresses, which I'm sure would lead to all sorts of false positives with IMAP/FTP and likely even HTTP connections. Am I understanding this wrong?0 -
I use the default settings as well. I also use very low numbers for Login Failure Blocking and Alerts options. X failed logins, and you're kicked to the curb. Searching my inbox for: blocked distributed attack 0 -
Have you considered using ModSecurity's connections engine? you can limit simultaneous read/write connection states per IP. Reference Manual " SpiderLabs/ModSecurity Wiki " GitHub Reference Manual " SpiderLabs/ModSecurity Wiki " GitHub In short, turn on the connections engine in WHM modsecurity settings, and in your modsec2.user.conf file add the settings such as: SecConnReadStateLimit 20 "!@ipMatch 127.0.0.1" SecConnWriteStateLimit 20 "!@ipMatch 127.0.0.1" This would limit individual IPs, other than localhost, to 20 apache connections in the read state or write state per IP address. It may not help with extremely distributed stuff but it's a good place to start. I have not tested it but you may get away trying to put those in a userdata / custom vhost config for the domain itself as opposed to modsec2.user.conf, so that tighter limits can be set affecting only one domain. I'm not sure that's supported but I don't see why it wouldn't be. Regardless I've seen a lot of people use these settings server-wide with some success. YMMV. 0 -
Ya. That's great for that. In my case, it's not distributed dictionary attacks... it's just bots endlessly crawling through events calendars and file download areas, ignoring robots.txt files, not even identifying themselves as bots.... just flooding with http requests, that look legit other than the pattern and the volume. I'll have a closer look at that area of CSF config though. It's been a while since I really read it through line-by-line. Thanks :-) 0 -
Have you considered using ModSecurity's connections engine? you can limit simultaneous read/write connection states per IP.
I wasn't aware of that. Thanks for the pointer!0
Please sign in to leave a comment.
Comments
8 comments