Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
S
S
SKEPTIC2021-03-25 12:32:03
PHP
SKEPTIC, 2021-03-25 12:32:03

DDoS attack causes php-fpm to load the server at 100%, how to fix it?

The site behind cloudflare is being trumped. They pipe right through cloudflare. The attack is aimed at the authorization form and is not countered by either captcha or under attack mode in cf.

As a result of the attack, php-fpm loads the entire server at 100% and requests are processed sooooo slowly. What to do? How to protect yourself?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
D
Denis Yuriev, 2021-03-25
@pro100chel

Any
DDoS attack that breaks through already configured protection mechanisms is fixed using the same method registration did not load the site UPD : It hurts to look at these comments. It won’t reach the author himself, and other commentators are too lazy to answer (and they’re right, because the author throws poop in response), then I suggest the first step in the case of CF , so, the main thing is that nginx be built with this magic module - ngx_http_realip_module (most likely already assembled)

if this module is not available in the current state of affairs, then nginx will not start with the config described below.
add these magic lines to the http section of the nginx config

http {
  set_real_ip_from 103.21.244.0/22;
  set_real_ip_from 103.22.200.0/22;
  set_real_ip_from 103.31.4.0/22;
  set_real_ip_from 104.16.0.0/12;
  set_real_ip_from 108.162.192.0/18;
  set_real_ip_from 131.0.72.0/22;
  set_real_ip_from 141.101.64.0/18;
  set_real_ip_from 162.158.0.0/15;
  set_real_ip_from 172.64.0.0/13;
  set_real_ip_from 173.245.48.0/20;
  set_real_ip_from 188.114.96.0/20;
  set_real_ip_from 190.93.240.0/20;
  set_real_ip_from 197.234.240.0/22;
  set_real_ip_from 198.41.128.0/17;
  set_real_ip_from 2400:cb00::/32;
  set_real_ip_from 2606:4700::/32;
  set_real_ip_from 2803:f800::/32;
  set_real_ip_from 2405:b500::/32;
  set_real_ip_from 2405:8100::/32;
  set_real_ip_from 2c0f:f248::/32;
  set_real_ip_from 2a06:98c0::/29;
  real_ip_header CF-Connecting-IP;

...
}

so nginx will start to "see" the real IPs of the users, not the CF servers .
ONLY AFTER THIS , your manipulations with limit_req make sense.
Otherwise, all visitors to the site randomly fall under the distribution of the 429th error.
UPD2:
If someone ever advises you to write this entry
set_real_ip_from 0.0.0.0/0;
real_ip_header CF-Connecting-IP;

then send mom's hacker back to school.

Report
N
Nadim Zakirov, 2021-03-25
@zkrvndm

Make your form more complex by adding hidden fields that are filled with hash as you type in other fields or as you move your mouse. Then, on the server side, check if the hidden fields are filled in correctly, if not, then ban this IP address.
There is another option, how to connect Google Recaptcha with the most aggressive settings and ban all addresses that have not passed verification.

Similar questions
J
Jan2017-05-08 08:56:20
How to pass data to popup (Angular)? 3Reply
A
Alex2019-10-09 12:42:39
How to create qr code in js? 1Reply
P
Pashchuk Ilya2017-05-09 21:42:00
How to resize a block when dragging in css3 and html5? 2Reply
A
Alibek Kulseitov2017-05-13 16:25:24
How to set color via data-color? 4Reply
V
Vasiliy Adminko2015-06-03 20:48:05
Backup multiple guest virtual machines without shutting them down on VMWare Workstation 10 hypervisor? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question