Skip to main content

Help Mitigating High Volume Distributed Attack on Port 443 Targeting GET /moodlee/index.php?

Oktavia Iw

## Problem Description

I'm experiencing a distributed attack targeting port 443 on my server. The attack has these characteristics:

- Originates from numerous random IP addresses
- Automatically rotates IPs when blocked
- Target requests consistently begin with "GET /moodlee/index.php?" followed by varying parameters
- Uses what appears to be a botnet with millions of IPs

## What I've tried

1. Implemented configuration connection rate limiting (2/sec) in LiteSpeed
2. Applied similar limits in CSF firewall
3. Activated CAPTCHA verification

All these measures have proven ineffective because:
- The attack distributes requests across millions of IPs
- New IPs immediately replace blocked ones
- Traffic floods the webserver despite CAPTCHA being active

## Question

What would be an effective approach to block this distributed attack at the firewall level before it reaches my webserver? I believe filtering at the server firewall level would be most effective, but I need specific implementation guidance.

## Environment
- Web server: LiteSpeed
- Firewall: CSF

- Cloudlinux 8

If there is someone who can help configuration and provide a solution I would be very grateful.

Comments

3 comments

Date Votes
  • cPRex Jurassic Moderator

    Hey there!  If the attack is really that large there isn't going to be anything I can recommend on my end, and CSF likely isn't advanced enough to handle that.  You'll want to look into an external hardware firewall or a tool like Cloudlfare in order to handle that type of traffic.

    0
  • Oktavia Iw

    When i'am remove the domain, attacker auto change target to other domain.

    0
  • InterServed
    • Edited

    I would make sure that the captcha is working as expected with litespeed.

    If you want it applied to all users globally, use:
    Insert the Rewrite Rule Edit or create the file: /etc/apache2/conf.d/userdata/captcha.conf
    Restart LiteSpeed: /scripts/restartsrv_httpd

    If applying it per domain, use:
    /etc/apache2/conf.d/userdata/std/2_4/yourusername/yourdomain.com/captcha.conf
    Restart LiteSpeed: /scripts/restartsrv_httpd

    <IfModule LiteSpeed>
    RewriteEngine On

    # If the query string contains 'Site_ID=acgwin', trigger CAPTCHA
    RewriteCond %{QUERY_STRING} (^|&)Site_ID=acgwin($|&) [NC]
    RewriteRule .* - [E=verifycaptcha:deny]

    </IfModule>
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post