Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : DDoS attack

[newbie_security]

Hello,
Recently i have been under DDoS attacks, and what it does is it will have different servers wget a certain file so it's all pretty much with HTTP.
for example: i had 10000 wget site.com/file.rar from ip x.x.x.x
and then same wget from ip y.y.y.y.
now question is how could i block this?

is it a way on apache2 to limit Downloads per IP (example 1 gb /IP)?

Thanks

[mwatkins]

If it is just one or two or a few IP's making a great many requests, you could block them in

a) Apache (via .htaccess or http.conf directives)
b) Apache (via test of user agent - disallow all wget (not nice really))
c) block via iptables if running Linux / pf or other BSD friendly firewall
d) add a null route

At least c + d have been discussed here pretty recently - search "this forum" to search only Technical and look for iptables.

[CodyRo]

Quote:

Originally Posted by mwatkins

If it is just one or two or a few IP's making a great many requests, you could block them in

a) Apache (via .htaccess or http.conf directives)
b) Apache (via test of user agent - disallow all wget (not nice really))
c) block via iptables if running Linux / pf or other BSD friendly firewall
d) add a null route

At least c + d have been discussed here pretty recently - search "this forum" to search only Technical and look for iptables.

Also alternatively there are some Apache modules that can limit the amount of requests from a single IP:

http://dominia.org/djao/limitipconn.html

[newbie_security]

well its not one single ip they use up to 50 servers to do this. any other ideas?

[newbie_security]

Quote:

Originally Posted by mwatkins

If it is just one or two or a few IP's making a great many requests, you could block them in

a) Apache (via .htaccess or http.conf directives)
b) Apache (via test of user agent - disallow all wget (not nice really))
c) block via iptables if running Linux / pf or other BSD friendly firewall
d) add a null route

At least c + d have been discussed here pretty recently - search "this forum" to search only Technical and look for iptables.

how could i disallow wget?

[afree2]

try this one
RewriteCond %{HTTP_USER_AGENT} ^wget

[mwatkins]

Quote:

Originally Posted by newbie_security

well its not one single ip they use up to 50 servers to do this. any other ideas?

Easiest - requires only configuring what you got: What I suggested re blocking the wget client - afree2 above gave you the goods on how. Sometime after the attack disable that rule -- there are perfectly legit users who will download files using wget and such tools. Just not 5000 times a day!

Requiring installation of new software: An Apache module such as CodyRo mentioned - something to limit the number of requests - is probably the "easiest" for someone new to managing servers to deal with. Provided it gives enough tuning flexibility such that you aren't blocking legitimate users or web crawlers, this is not a bad option.

Not too hard - easy if comfortable with grep, text tools and scripting: If the list of servers is not expanding, you can grab their IP's from your logs (grep, cut, sort, uniq and such are made for this) and then feed that into a script which null routes or drops them.

Harder but more versatile: I prefer to deal with such things ahead of the web server, because the same problem you are having today could tomorrow show up on a ssh server or FTP server or mail server or DNS server. Given a choice I'd rather implement a solution that can work for all such scenarios.

Typically this means putting rules in a firewall that add an offending IP to a block table, based on observed behaviour. iptables (linux) can be configured to do this but common implementations require another module (the "recent" module) built to support this. Here's a random link from the internet showing someone who has done this to protect their sshd from attacks: http://hostingfu.com/article/ssh-dic...-with-iptables

On BSDs like OpenBSD or FreeBSD the capability is built into "pf" and is quite simple to implement.

[newbie_security]

do i put that user_agent code in .htaccess of root folder of the website?

RewriteCond %{HTTP_USER_AGENT} ^wget

[mwatkins]

ns:

There are a couple of approaches you can use. afree2 mentioned RewriteCond -- this wasn't a recipe but a hint at where to go next. I'll fill in some more details but am typing fast and don't have time to verify this. That said if you take either of these approaches and keep the link to the docs in hand, you should be up and running in no time.

If you run into issues it'll likely be simple configuration changes you need to track down in either httpd.conf or .htaccess (choose one or the other but not both... httpd.conf preferred) depending on which way you go, but either of these approaches will work.

Note: if your site doesn't already use .htaccess files, *and* you have access to httpd.conf via the command line or a control panel, then don't add .htaccess files to the mix. Wherever possible I disable .htaccess for performance reasons and do it once in httpd.conf where these sorts of rules really belong.

If you don't need .htaccess for any other purpose, and can implement your solution in httpd.conf (presumes you have access/authority to do so) then disable .htaccess in httpd.conf within your virtual host definition as so:

Code:

<Directory /path/to/my/docroot>
    AllowOverride None
</Directory>

Moving right along now...

Approach 1: mod_rewrite

Required for either .htaccess or http.conf configuration styles: You need to enable mod_rewrite if using virtual hosts follow this.

In httpd.conf within your virtual host definition, or in the / .htaccess file:

Code:

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^wget [nocase]
RewriteRule ^.* - [forbidden, last]

See also:
http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html
http://httpd.apache.org/docs/2.2/rew...ite_flags.html

Approach 2: Access

Another approach also uses what you already have - Apache - through the fairly simple Allow, Deny access mechanism. We'll use an environment variable to trigger a Deny action.


Step 1: First we are going to set an environment variable for user agents we don't like. This line goes in httpd.conf in the virtual host definition, or in .htaccess in your web site's root directory:

Code:

SetEnvIfNoCase User-Agent "^wget" attackers

If you later discover other user agents you wish to block can just add additional lines.

Step 2: Block requests based on the environment variable "attackers" that we've set up:

IF in http.conf:

Code:

<Directory "/home/yoursite/public_html/">
        Order Allow,Deny
        Allow from all
        Deny from env=attackers
</Directory>

IF in .htaccess (be sure you don't have any .htaccess in subdirectories of the site which overturns this "policy"):

Code:

# .htaccess:
Order Allow,Deny
Allow from all
Deny from env=attackers

Reference:
http://httpd.apache.org/docs/2.2/mod/mod_setenvif.html

HTH.

[newbie_security]

how does hotlink protect work?
because they can easily change user_agent by wget -U firefox
how can i do hotlink protect so only if they are referred by a certain website they can download

[brianoz]

Doesn't CSF automatically block sites doing HTTP floods like this?

[IRCCo Jeff]

Quote:

Originally Posted by brianoz

Doesn't CSF automatically block sites doing HTTP floods like this?

It will if it's the same small group of IP's doing the attacking and you have CT activated. We've experienced a wave of attacks recently that use 5000 - 10,000 bots and each one will send one or two requests here and there to avoid detection.

[atariko]

You could try something like mod_cband... Its easy to use.