More spamming attacks!!! Site should be good now!

This forum is reserved for network, server and board maintenance and FYI's
Post Reply
Message
Author
User avatar
Rob
Toughbooktalk Founder
Posts: 3575
Joined: Mon Mar 16, 2009 8:23 pm
Contact:

More spamming attacks!!! Site should be good now!

#1 Post by Rob »

We have been DOS attacked from a particular IP in Northern Africa. Thank GOD for good firewalls. The Firewall was fine but the server almost crashed.

I have added the rule to the firewall to deny this IP from hitting our server ever again.

Additionally I'm looking at how I can use the new firewall to auto-deny IP's PERMANENTLY in the future based on the amount of times it hits the server so it does it automatically so it will be PROACTIVE VS being reactive now. (Again, thank GOD for my good monitoring system)


Thanks!
~Rob - Vice President - Rugged Depot~
~Cell: (630)/300-8877~
~Owner - Toughbooktalk~
~Fully rugged Toughbook user since April 18th 2005~
~FZ-40ACAAHKM - Primary Toughbook / Workstation as of 7/29/22
~Win10 Pro (Win11 DG), Intel Core i5-1145G7 (up to 4.4GHz), vPro, 14.0" FHD Gloved Multi Touch, 16GB, 1TB Samsung SSD, Intel Wi-Fi 6, Bluetooth, 4G EM7690, GPS, Quad Pass (BIOS Selectable), Mic and Infrared 5MP Webcam, Standard Battery, TPM 2.0, Emissive Backlit Keyboard, Dual Batteries, USB A + HDMI + Serial X-PAK, Shoulder Strap, Flat~
~AT&T Business 1GB Fiber 1GB/1GB business static line~
~Gamber & Johnson Platinum Partner~

http://www.toughbooktalk.com
http://downloads.toughbooktalk.com/
http://www.rugged575.com - 300' UHF GMRS Radio Repeater
http://www.crete600.com - 310' UHF Linked GMRS Radio Repeater


~Emergency preparedness starts with reliable communication systems above all. Pretend the internet and cell phones didn’t exist, how will you communicate? If you’re interested in learning more, ask me!~

User avatar
Karl Klammer
Posts: 193
Joined: Tue Oct 13, 2015 3:19 am
Location: Old Europe

Re: More spamming attacks!!! Site should be good now!

#2 Post by Karl Klammer »

Hi Rob,

this sounds like a case for rate limiting new connections per source ip.

bsd pf:
max-src-conn number
max-src-conn-rate number / interval
http://www.openbsd.org/faq/pf/filter.html#stateopts

linux iptables:
-m connlimit --connlimit-above number
http://www.cyberciti.biz/faq/iptables-c ... its-howto/

cisco:
set connection conn-max 5000 conn-rate-limit 500
http://www.cisco.com/c/en/us/td/docs/se ... tct_f.html

Be careful when setting this up and verify your rulesets with tools like apachebench.
Some browsers open one connection per url/file (image/css/js),
while others implement http pipelining and only require a single connection.

Also, I would advise against any automated+permanent IP blocks,
as an attacker could just use ip spoofing to make your firewall block your own ip ;-)

Cheers,
Karl

User avatar
kode-niner
Posts: 700
Joined: Sat Jun 07, 2014 7:39 am
Location: Canada

Re: More spamming attacks!!! Site should be good now!

#3 Post by kode-niner »

Hey Karl,

Unfortunately Rob is running apache over a Windows Server, so no pf or iptables goodness.
Daily drives a CF-31

User avatar
Karl Klammer
Posts: 193
Joined: Tue Oct 13, 2015 3:19 am
Location: Old Europe

Re: More spamming attacks!!! Site should be good now!

#4 Post by Karl Klammer »

modlimitpconn might work for you, depending on the nature of the dos attack.
http://dominia.org/djao/limitipconn2.html

I have no experience with that module.

Post Reply

Return to “Network, Server, & Board Maintenance Announcements!”