Nginx Nginx down when DDoS

eva2000 · May 3, 2016

no restarts. all auto taken care of for new tcp settings once you re-run centmin.sh after updating to latest 123.09beta01 code

as to connection limiting it's a feature of CSF Firewall too see Nginx - Nginx down when DDoS | Page 5 | Centmin Mod Community but not request limiting

Revenge · May 3, 2016

pamamolf said: ↑

How can we add now the new changes related to this issue without reinstalling?

Also i am looking for a config file not related only to this Wordpress attack but an one in general that will block users with many and fast connections to it without anyway to block a user agent.....
Click to expand...

Filter:
Code:
[Definition]

failregex = ^<HOST> -.*GET.*/

ignoreregex = ^<HOST> -.*GET.*/uploads
              ^<HOST> -.*GET.*/applications
Here you can notice that it will catch every GET, unless the GET if for Uploads and Applications folders. I do this because i have a Invision Board, and sometimes a user can make a lot of GET's in that folders to get all the css, js etc etc. So i will ignore those ones.

Jail:
Code:
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /path/to/your/access.log
backend  = polling
journalmatch =
maxretry = 50
findtime = 5
bantime = 300
action = iptables-allports
This Jail will ban for 300 seconds, if an IP makes 50 requests in 5 or less seconds. You can changes this values off course. I just did this if someone hits the F5 at my site, he will simple get banned for 300 seconds.

pamamolf · May 3, 2016

50 requests
Click to expand...

What about banning many connections also and not only many requests?

Revenge · May 3, 2016

pamamolf said: ↑

What about banning many connections also and not only many requests?
Click to expand...

What is the diference between requests and connections?

eva2000 · May 3, 2016

Revenge said: ↑

What is the diference between requests and connections?
Click to expand...

see DDos Mitigation - Using NGINX to Prevent DDoS Attacks | NGINX

Limiting the Rate of Requests
vs
Limiting the Number of Connections

CSF Firewall (as can iptables) can limit connections per IP Nginx - Nginx down when DDoS | Page 5 | Centmin Mod Community

pamamolf · May 3, 2016

Why not just use the CT_LIMIT = "0" option on csf ?

Isn't the same?Why fail2ban is better?

Revenge · May 3, 2016

pamamolf said: ↑

Why not just use the CT_LIMIT = "0" option on csf ?

Isn't the same?Why fail2ban is better?
Click to expand...

Because with fail2ban you can creates regex rules. I can say to fail2ban to ban an IP that make 50 connections/requests, but the requests to css and js don't count. Or i can say to fail2ban to just ban IP's that make requests with WordPress user agent. I never used CSF, but i think it can't do that, at least by itself. It will ban if an IP makes x connections, and just that.

Revenge · May 3, 2016

Ok people... New situation here.

The booter that i have access, its from a client i have. We use the booter to test the protection of is own server. The booter that he have, now have 3 new Layer 7 attacks(although its almost the same), GET, HEAD and POST.
[IMG]

I tried the GET attack against his site, and its impossible to defend... There is no UserAgent now. We can't tell the diference between a normal request, and this requests.

Code:

5.189.205.193 - - [03/May/2016:02:09:59 +0100] "GET / HTTP/1.1" 301 178 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
5.189.205.229 - - [03/May/2016:02:09:59 +0100] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Linux; U; Android 2.2; fr-fr; Desire_A8181 Build/FRF91) App3leWebKit/53.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"
5.101.217.153 - - [03/May/2016:02:09:59 +0100] "GET / HTTP/1.1" 301 178 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en]"
185.89.100.34 - - [03/May/2016:02:09:59 +0100] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Linux; U; Android 2.2; fr-fr; Desire_A8181 Build/FRF91) App3leWebKit/53.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"
5.101.220.191 - - [03/May/2016:02:09:59 +0100] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/534.57.5 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.4"
185.14.194.122 - - [03/May/2016:02:09:59 +0100] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11"
146.185.204.248 - - [03/May/2016:02:09:59 +0100] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"

What the hell can we do against this?

pamamolf · May 3, 2016

If the requests per ip are many and fast you can use csf and CT_LIMIT = "0" to ban the ip's
If the requests are not many per ip don't know
If the requests are very slow per ip you can try to close connections faster on Nginx as you can check on the above link that eva2000 posts:

DDos Mitigation - Using NGINX to Prevent DDoS Attacks | NGINX

Revenge · May 3, 2016

Well, you have like 8000 to 10000 servers making less than 1 request per second each. Its impossible to put rules under that situation, or we would also be limiting good requests.

eva2000 · May 3, 2016

Revenge said: ↑

Because with fail2ban you can creates regex rules. I can say to fail2ban to ban an IP that make 50 connections/requests, but the requests to css and js don't count. Or i can say to fail2ban to just ban IP's that make requests with WordPress user agent. I never used CSF, but i think it can't do that, at least by itself. It will ban if an IP makes x connections, and just that.
Click to expand...

true CSF Firewall doesn't have that fine grain control as to which http request elements it tracks like css and js exclusion

Revenge said: ↑

What the hell can we do against this?
Click to expand...

a caching layer on the front end probably can help but depends on your web app too

Revenge · May 17, 2016

New kind of DDOS attack using Facebook? o_O

I stopped it with 444 response to facebookexternalhit.
But i need to disable it after the attack stops.

Code:

173.252.123.129 - - [17/May/2016:13:44:00 +0200] "GET /?id=1463485223866 HTTP/1.1" 499 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.136 - - [17/May/2016:13:44:00 +0200] "GET /?id=1463485233582 HTTP/1.1" 444 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.137 - - [17/May/2016:13:44:00 +0200] "GET /?id=1463485233583 HTTP/1.1" 444 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.144 - - [17/May/2016:13:44:00 +0200] "GET /?id=1463485233609 HTTP/1.1" 444 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.147 - - [17/May/2016:13:44:00 +0200] "GET /?id=1463485233797 HTTP/1.1" 444 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.147 - - [17/May/2016:13:44:00 +0200] "GET /?id=1463485233799 HTTP/1.1" 444 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.132 - - [17/May/2016:13:44:00 +0200] "GET /?id=1463485224190 HTTP/1.1" 499 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.136 - - [17/May/2016:13:44:00 +0200] "GET /?id=1463485224191 HTTP/1.1" 499 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.147 - - [17/May/2016:13:44:00 +0200] "GET /?id=1463485224227 HTTP/1.1" 499 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.129 - - [17/May/2016:13:44:00 +0200] "GET /?id=1463485224240 HTTP/1.1" 499 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.146 - - [17/May/2016:13:44:00 +0200] "GET /?id=1463485224295 HTTP/1.1" 499 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.129 - - [17/May/2016:13:44:00 +0200] "GET /?id=1463485233851 HTTP/1.1" 444 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.137 - - [17/May/2016:13:44:00 +0200] "GET /?id=1463485233803 HTTP/1.1" 444 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.137 - - [17/May/2016:13:44:00 +0200] "GET /?id=1463485234077 HTTP/1.1" 444 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.129 - - [17/May/2016:13:44:00 +0200] "GET /?id=1463485224371 HTTP/1.1" 499 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.147 - - [17/May/2016:13:44:00 +0200] "GET /?id=1463485224524 HTTP/1.1" 499 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.136 - - [17/May/2016:13:44:00 +0200] "GET /?id=1463485224528 HTTP/1.1" 499 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.132 - - [17/May/2016:13:44:00 +0200] "GET /?id=1463485234086 HTTP/1.1" 444 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.128 - - [17/May/2016:13:44:00 +0200] "GET /?id=1463485224530 HTTP/1.1" 499 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.128 - - [17/May/2016:13:44:00 +0200] "GET /?id=1463485234200 HTTP/1.1" 444 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.136 - - [17/May/2016:13:44:01 +0200] "GET /?id=1463485224577 HTTP/1.1" 499 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.146 - - [17/May/2016:13:44:01 +0200] "GET /?id=1463485234249 HTTP/1.1" 444 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.146 - - [17/May/2016:13:44:01 +0200] "GET /?id=1463485234395 HTTP/1.1" 444 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.129 - - [17/May/2016:13:44:01 +0200] "GET /?id=1463485234199 HTTP/1.1" 444 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.137 - - [17/May/2016:13:44:01 +0200] "GET /?id=1463485224847 HTTP/1.1" 499 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.137 - - [17/May/2016:13:44:01 +0200] "GET /?id=1463485234401 HTTP/1.1" 444 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.144 - - [17/May/2016:13:44:01 +0200] "GET /?id=1463485234452 HTTP/1.1" 444 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.136 - - [17/May/2016:13:44:01 +0200] "GET /?id=1463485234465 HTTP/1.1" 444 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.132 - - [17/May/2016:13:44:01 +0200] "GET /?id=1463485234497 HTTP/1.1" 444 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.128 - - [17/May/2016:13:44:01 +0200] "GET /?id=1463485224851 HTTP/1.1" 499 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.144 - - [17/May/2016:13:44:01 +0200] "GET /?id=1463485224865 HTTP/1.1" 499 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.146 - - [17/May/2016:13:44:01 +0200] "GET /?id=1463485234728 HTTP/1.1" 444 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.136 - - [17/May/2016:13:44:01 +0200] "GET /?id=1463485225082 HTTP/1.1" 499 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.147 - - [17/May/2016:13:44:01 +0200] "GET /?id=1463485234729 HTTP/1.1" 444 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.136 - - [17/May/2016:13:44:01 +0200] "GET /?id=1463485225084 HTTP/1.1" 499 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.144 - - [17/May/2016:13:44:01 +0200] "GET /?id=1463485234743 HTTP/1.1" 444 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.147 - - [17/May/2016:13:44:01 +0200] "GET /?id=1463485225091 HTTP/1.1" 499 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
173.252.123.128 - - [17/May/2016:13:44:01 +0200] "GET /?id=1463485225094 HTTP/1.1" 499 0 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"

eva2000 · May 18, 2016

Revenge said: ↑

facebookexternalhit/1.1
Click to expand...

interesting will need to add that as an option to my botlimit routine as a rate limitable setting Blocking bad or aggressive bots | Centmin Mod Community (optional commented out)

edit: doh already been added as a rate limited option

Revenge · Sep 6, 2016

I don't know if someone can give a help here.

One site of a friend is being targeted just now, and nginx is not being able to block it with a a 444 response. It responds with a 200.

The site is a IPB 3.4.

If i do this:
curl -A "WordPress" https://site.com/
I get an empty response. 444

But if i do this(its what the attacker is doing:
curl -A "WordPress" https://site.com/index.php?app=core&module=global&section=register
I get a response 200.

Why nginx does not block it?

eva2000 · Sep 6, 2016

what does the nginx vhost contexts look like for 444 ?

Revenge · Sep 6, 2016

Code:

if ($http_user_agent ~ "WordPress") {
        set $block_user_agents 1;
 }

if ($block_user_agents = 1) {
        return 444;
}

Oxide · Sep 6, 2016

Revenge said: ↑
Code:
if ($http_user_agent ~ "WordPress") {
        set $block_user_agents 1;
 }

if ($block_user_agents = 1) {
        return 444;
}
Click to expand...
try to use this instead

if ($http_user_agent ~* "PHP|curl|Wget|HTTrack|Nmap|Verifying|PingBack|Pingdom|Joomla|Wordpress") { return 444; }

Revenge · Sep 7, 2016

Fail2ban took care of the attack:

- Actions
|- Currently banned: 6486
Click to expand...

The attacked continued all day but without affecting the site since all server's ip's were blocked.
Too many fat kids goes to hackforums to buy a booter... Thats the world we leave today.

pamamolf · Sep 7, 2016

What rule did you use for it?

Revenge · Sep 7, 2016

pamamolf said: ↑

What rule did you use for it?
Click to expand...

The rule is very simple.
Code:
[Definition]

failregex = ^<HOST> -.*WordPress.*/
It does the same as the nginx rule to return 444 to the user agent WordPress. In this case, it bans the IP using iptables.

Now what i do is permanently ban all those IP's using ipset.

Log in / Register

Forums

Want to subscribe to topics you're interested in?

Nginx Nginx down when DDoS

eva2000 Administrator Staff Member

Revenge Active Member

pamamolf Well-Known Member

Revenge Active Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

Revenge Active Member

Revenge Active Member

pamamolf Well-Known Member

Revenge Active Member

eva2000 Administrator Staff Member

Revenge Active Member

eva2000 Administrator Staff Member

Revenge Active Member

eva2000 Administrator Staff Member

Revenge Active Member

Oxide Active Member

Revenge Active Member

pamamolf Well-Known Member

Revenge Active Member

.

Log in / Register

Useful Searches

Want to subscribe to topics you're interested in?

Nginx Nginx down when DDoS

eva2000 Administrator Staff Member

Revenge Active Member

pamamolf Well-Known Member

Revenge Active Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

Revenge Active Member

Revenge Active Member

pamamolf Well-Known Member

Revenge Active Member

eva2000 Administrator Staff Member

Revenge Active Member

eva2000 Administrator Staff Member

Revenge Active Member

eva2000 Administrator Staff Member

Revenge Active Member

Oxide Active Member

Revenge Active Member

pamamolf Well-Known Member

Revenge Active Member

.