[prev in list] [next in list] [prev in thread] [next in thread]
List: fail2ban-users
Subject: Re: [Fail2ban-users] Block Flood Attack
From: "Jacob L. Anawalt" <janawalt () geckosoftware ! com>
Date: 2016-07-15 16:19:35
Message-ID: 3ecfcdc9-2ca8-abe8-05ec-0d67737e0e7b () geckosoftware ! com
[Download RAW message or body]
On 2016-07-14 8:07 PM, Mohd Zainal Abidin wrote:
>
> How to block this kind of attack?
>
> 27.111.213.117 - - [15/Jul/2016:10:03:32 +0800] "GET /2014/07/ HTTP/1.1"
> 200 70977 "-" "Mozilla/4.0 (compatible;)"
> 27.111.213.117 - - [15/Jul/2016:10:03:27 +0800] "GET /2007/05/ HTTP/1.1"
> 200 62797 "-" "Mozilla/4.0 (compatible;)"
> 27.111.213.117 - - [15/Jul/2016:10:03:33 +0800] "GET /2014/06/ HTTP/1.1"
> 200 72461 "-" "Mozilla/4.0 (compatible;)"
...
> We getting this kind of attack from different ip last night. Our website
> load goes to 100 and it become slow to response.
>
What would you propose the fail2ban rules be? What makes this access pattern
something to ban and how is it different than valid usage?
Are those paths invalid? Your web server says they are 200 OK.
Is "Mozilla/4.0 (compatible;)" not a legit user agent?
Are they requesting too fast and you want to rate limit it?
I don't see a bunch of failed authentication attempts or requests for some known
PHP or IIS path to exploit. I see a remote system downloading a bunch of valid
(200) URLs as fast as it can (mirroring/websuck? archiving?). While it may feel
like a client sucking your bandwidth (or CPU if those paths are dynamically
generated) dry is an attack, I'd be hesitant to call it an attack, definitely
not a flood one, and I wouldn't turn to fail2ban first for protection.
I think fail2ban is a great tool, but it's a reactive log scanning tool that
looks for patterns of badness. For proactive solutions I look to the attacked
service or firewall rules.
For example if the issue is how much and how fast, look into some apache module
like mod_ratelimit, mod_security, mod_evasive, mod_limitipconn, mod_qos, or one
of many others. You'd have to look at them and decide which meets your needs.
You could also configure apache to ban based on user agent.
You can use iptables rules to rate limit new connections or ban a specific IP
outright for being a bad actor. If you have iptable rules for rate limiting and
apache rules to limit how many requests can be made in one connection (max keep
alive requests) you will give fail2ban a little breathing room.
Back to your load issue. If /2006/12/ isn't dynamically generated I'd take a
hard look at why requesting it is causing so much load. Static content should be
out the door with little load. Maybe your MaxClients and other settings are
eating up all your memory and your bogged down swapping. Maybe /2006/12/ is
dynamic and if this were valid traffic you would be looking into caching.
Even if you fixed the load issue though, a bad actor can suck up MaxClients so
that your website isn't available to other users without some kind of protection
against that. Often just banning the bad actor(s) for a while is enough to give
them the message to go away but an apache module designed for this kind of abuse
protection would help with the current issue and be ready for the next time.
Best of luck,
--
Jacob Anawalt
Gecko Software, Inc.
janawalt@geckosoftware.com
435-752-8026
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic