Hello,
My forum is is sometimes targeted by a wave of IP requests from very similar IPs, sometimes hundreds of such within a minute, causing severe spikes in server load.
I don't know if these are DDoS attacks or just bots trying to register.
Is it possible to automatically block IP ranges attempting this?
If you're using Apache, you can do the following with Mod_Qos
Using mod_qos
mod_qos is a quality of service module for the Apache HTTP Server which allows the implementation of control mechanisms that can provide different levels of priority to different HTTP requests.
The following is an example of how to configure mod_qos to mitigate slow HTTP DoS attacks.
<IfModule mod_qos.c>
# handle connections from up to 100000 different IPs
QS_ClientEntries 100000
# allow only 50 connections per IP
QS_SrvMaxConnPerIP 50
# limit maximum number of active TCP connections limited to 256
MaxClients 256
# disables keep-alive when 180 (70%) TCP connections are occupied
QS_SrvMaxConnClose 180
# minimum request/response speed (deny slow clients blocking the server, keeping connections open without requesting anything
QS_SrvMinDataRate 150 1200
</IfModule>
The above configuration tracks up to 100,000 connections and limits the server to a maximum of 256 connections. In addition, the configuration limits each IP address to a maximum of 50 connections and disables HTTP KeepAlive when 180 connections are used (70% of the connections in this case). Finally, the configuration requires a minimum of 150 bytes per second per connection, and limits the connection to 1200 bytes per second when MaxClients is reached.
Ref: http://www.acunetix.com/blog/articles/sl...tp-server/
I also recommend you to take a look into:- mod_evasive (Focused more on reducing DoS exposure)
- mod_cband (Best featured for 'normal' bandwidth control)
and
Thank you very much for your help. It looks like I will need to contact my host for this. So far they've also suggested Cloudflare, but since it's just a small hobby forum, we can't dish out any cash. Just the free version for us.
We've recently switched from a very old CMS (dragonfly 9.0.3) to MyBB and that's when the attacks started... this is very weird :/ The attack was so strong today that my host disabled my server.
CloudFlare is the easiest way... if you don't have cash to invest, then you will have to play with Apache rules as @katos showed you. But it won't be easy to customize the rules to mitigate those attacks without further apache knowledge. Hard hitting layer 7 attacks are the hardest to get rid of...
(2016-10-24, 07:32 PM)Neeeeeeeeeel.- Wrote: [ -> ]CloudFlare is the easiest way... if you don't have cash to invest, then you will have to play with Apache rules as @katos showed you. But it won't be easy to customize the rules to mitigate those attacks without further apache knowledge. Hard hitting layer 7 attacks are the hardest to get rid of...
CloudFlare's I'm Under Attack mode helps reduce the size of attacks beyond that CloudFlare is testing rate limiting (I've a member of the super-early API based beta) and it can block HTTP Flood Attacks. A hard hitting layer 7 as stated above will be difficult to mitigate however with proper rate limiting they're blockable.
I Suffer from the same issue -
Just reading here make me wonder are there other ways beside CloudFlare and Apache that you would recommend for ?
(2017-01-03, 08:33 PM)williamson Wrote: [ -> ]I Suffer from the same issue -
Just reading here make me wonder are there other ways beside CloudFlare and Apache that you would recommend for ?
nginx + rate-limiting =
