Over 200 requests per second from the same 5 IPs

chasebug · #1 10-19-2009, 03:16 PM

I block them in htaccess but their repeated attacks is making my server load crazy.
I installed AFP but it doesn't do anything, where do I set rules on automatic blocking?

**Chris_M** · #2 10-19-2009, 03:20 PM

If you know the IP's just do apf -d IP# for each and forget it.

CodyRo · #3 10-19-2009, 05:48 PM

Assuming it's Linux based:

Code:

iptables -A INPUT -s 1.2.3.4 -j DROP

TheServerExperts · #4 10-19-2009, 06:02 PM

Did you try dos deflate?

http://deflate.medialayer.com

madaboutlinux · #5 10-19-2009, 06:05 PM

Quote:

Originally Posted by chasebug

I block them in htaccess but their repeated attacks is making my server load crazy.
I installed AFP but it doesn't do anything, where do I set rules on automatic blocking?

If the IPs are similar, block the IP using route:

route add IPADDR reject

where, IPADDR is the IP address of the attacker.
'reject' install a blocking route, which will force a route lookup to fail.

plumsauce · #6 10-19-2009, 08:10 PM

Have you traced back the ip addresses to find out who they belong to?

Once you know who manages the ip blocks, you need some logs. Write to the abuse and noc addresses for the company who has been assigned those addresses. Explain briefly and accurately what is happening and that it is coming from machines within their ip space and ask them to please attend to it. They will probably ask for logs. It may take some days, but in most cases they will determine whether the source machine is compromised or run by a rogue operator and take the appropriate action.

adminpaul · #7 10-19-2009, 08:29 PM

Install csf + lfd and block the ip using the command csf -d <IP>

TailoredVPS · #8 10-19-2009, 08:45 PM

Quote:

Originally Posted by CodyRo

Assuming it's Linux based:

Code:

iptables -A INPUT -s 1.2.3.4 -j DROP

Yes, I would recommend using iptables as well.

chasebug · #9 10-20-2009, 02:46 AM

Using apf -d IP# to block IP now.

Is iptable better and why is it better?

madaboutlinux · #10 10-20-2009, 03:06 AM

Quote:

Originally Posted by chasebug

Using apf -d IP# to block IP now.

Is iptable better and why is it better?

APF and CSF firewalls use iptables itself. These firewalls have made it easy to deal with blocking IPs on different criteria and various alerts for people those who are not use to with iptables.

BudWay · #11 10-20-2009, 09:08 AM

Install csf and use rate limiting to try to block/cease this.

inspiron · #12 10-20-2009, 09:22 AM

Yes, get install the csf firewall and try using the command given below,

# csf -d IPaddress

eth00 · #13 10-20-2009, 11:36 AM

If you do install either APF or CSF don't use the direct iptables commands, as soon as you restart the firewall (which happens daily) the rules will be lost. For just blocking the IP like you want either will be just fine.

If properly setup apf -d or csf -d should be blocking it. If it is not then something is probably setup wrong or your kernel may not support all of the required iptables modules.

I would also suggest contacting the abuse dept for those ips, that may help depending on what country they are in.