Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : HTTP GET floods

[aliitp]

i am suffering from this
i think the attacker keeps using proxies coz whenever i block his current ip (obtained from CPanel RAW LOG) whenever that happens a new ip continues the work from there!!

i keep block that range of ips as in xxx.xxxx.xxx.0/24
so all 255 ips are blocked
but this is frustrating and time consuming
this way he may be able to consume 600 GBs of bandwidth a month
all the requests are either HTTP 404 which doesnt consume that much really bandwidth
and HTTP 206 -- incomplete file download-- also that could be due to worms and bots

any ideas guys?
am on a shared host
thanks

[HouseEros]

Have you tried contacting your shared host about this and gotten their advice?

They may be able to help.

[hostechsupport]

Hello,

Seems that it is a SYN* attack and contacting your hosting provider would be first and important step.

[SpaceWalker]

what kind of resources are being requested ? images, zip files etc ?

consider enabling "Hot Link Protection" for the requested files extension as most bots/attacks do not supply the right referrer.

[weeb]

Try to use _FREE_ Online Antibotware Service (hxxp://ab.ersca.com)

[aliitp]

thank you guys
i contacted their support
they are hostgator btw
and their service is excellent in every single aspect
but they didnt really do much regarding this
i guess its my own problem
and either i figure out something or get my account suspended!

files leeched are zip files and they are at least 200 MB
i also think it is a SYN flood
i already enabled hotlink protection
and the links are not published publicly on my website
they are protected with www.lix.in link protection
i also tried antileech
but i got nothing out of all this!
although lix.in got that (what do u call it again?) the box that displays a set of characters before any download starts (human check i beleive!) but that got me nothing also! i dont understand how a bot maybe or a robot could recognize those before downloading (although he should enter the number once only and download as many times as he wants)

the leecher leeches the same exact file over and over again maybe even 50 times and so on!
and the download never completes as they are all HTTP 206 error (incomplete download)


any ideas guys??

thanks for the service weeb ive been looking for such a thing really!

[IRCCo Jeff]

GET floods are probably the trickiest type of attack. The best home grown solution would be to reverse proxy the connections through a separate server (eg. using nginx) and setup a cron to parse the log files and iptables the bad sources.

[hhw]

Quote:

Originally Posted by hostechsupport

Hello,

Seems that it is a SYN* attack and contacting your hosting provider would be first and important step.

HTTP GET floods are most definitely not SYN floods. SYN floods attempt to overwhelm a server by creating so many bogus open connections on the server, that legitimate connections can be made. The attacker only needs to send SYN packets without having to setup state, while TCP sockets get partially established on the server. As such, the attack scales well as the bogus sockets are much more resource intensive for the server.

HTTP GET floods on the other hand, attempt to overwhelm a server simply by creating load from mimicking legitimate GET requests, or forcing the server to deliver so much traffic that it causes congestion issues on egress traffic.

Quote:

Originally Posted by IRCCo Jeff

GET floods are probably the trickiest type of attack. The best home grown solution would be to reverse proxy the connections through a separate server (eg. using nginx) and setup a cron to parse the log files and iptables the bad sources.

The op may even get away with just parsing his web server logs, as the attack seems to be more of a concern in terms of traffic costs rather than load issues at the moment.

[aliitp]

Quote:

Originally Posted by hhw

HTTP GET floods are most definitely not SYN floods. SYN floods attempt to overwhelm a server by creating so many bogus open connections on the server, that legitimate connections can be made. The attacker only needs to send SYN packets without having to setup state, while TCP sockets get partially established on the server. As such, the attack scales well as the bogus sockets are much more resource intensive for the server.

HTTP GET floods on the other hand, attempt to overwhelm a server simply by creating load from mimicking legitimate GET requests, or forcing the server to deliver so much traffic that it causes congestion issues on egress traffic.



The op may even get away with just parsing his web server logs, as the attack seems to be more of a concern in terms of traffic costs rather than load issues at the moment.

yes ur right
i hardly ever get any system resources used on my host
the hisghest i ever got dure to downloads in general was 0.2% CPU Usage
and same or less for memory (yes cpanel has this feature)

i wish there was a script or free service with CAPTCHA protection which will allow someone to download the protected link file JUST ONCE after he enters the captcha correctly
dont get me wrong though! many free link protection got captcha by default, however once the numbers/characters are entered correctly the file can be downloaded infinite number of times
this what leads me to think the attacker enters the captcha once, and leaves the rest for a bot or something that downloads tons of times the same file from my server!!!

[bizness]

use iptables to limit number of concurrent http connections per IP, that should help out a bit by slowing him down.

[aliitp]

Quote:

Originally Posted by bizness

use iptables to limit number of concurrent http connections per IP, that should help out a bit by slowing him down.

how to do that??
i am on a shared host btw
thanls

[HouseEros]

Quote:

Originally Posted by aliitp

how to do that??
i am on a shared host btw
thanls

You can't.

That is one of the issues with being on a shared host...you can't do alot of things.

That is why I originally suggested you contact them...they are likely to be the only ones who can mitigate anything.

[server4sale]

If you are on a shared host then there is nothing you can do except they do something for you. Another recommendation will be to search for a good ddos protection company or look into proxyshield or secureport option. You may get some other providers to help you with that as well. Other wise move to a VDS with litespeed and that should solve your issue IF this is small attack

[ServerOrigin]

I agree with hhw and server4sale:
The type of attack (if it is a true attack) can't be mitigated from a shared hosting perspective unless the host is doing it for you. If you know they are targeting then you could possibly setup a modsec rule to assist with blocking the specific file or simply remove it or rename it. Although, it's likely they'll simply change to another file. You could also do a .htaccess redirect that required a captcha or a click. Another option would be a simple .htaccess password that would be required to type in prior to entering the download area. In the password box you could say: PLEASE TYPE USER: EXAMPLE PASSWORD: DONTLEECH

This would require real user interaction and break most GET flood scripts. The idea wouldn't be to require a specific password, simply to force a login, even if it's publicly available.

The other option is to serve your files via CDN to keep from affecting your hosting service. Although, it could get very expensive if you're not careful. I know, for example, we had a get flood a couple weeks back on our site that pulled more than 70GB in 24 hours. Depending on the CDN provider, they could possibly block you as well. We haven't seen this happen but I'd guess it's possible if the attack was consuming too much of their resources.

[IRCCo Jeff]

Quote:

Originally Posted by ServerOrigin

Depending on the CDN provider, they could possibly block you as well.

Indeed. If you use a CDN to mitigate an attack it's quite likely the attacker will switch to a UDP flood against the CDN network itself (which they can't really bill you for) and you'll get dropped.