DDOS POST Requests

V

Vladimir Gorobets2011-08-23 07:43:21

DDoS Protection

Vladimir Gorobets, 2011-08-23 07:43:21

DDOS POST Requests

There are a bunch of requests like this coming from different IPs to NGINX:
72.252.31.22 - - [23/Aug/2011:07:16:00 +0300] "POST / HTTP/1.0" 503 212 " google.com/ " "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)"

The site that was being attacked had to be put out, but the server did not feel any better. I have practically zero knowledge in administration, and the administrator is at sea.

Can anyone help with advice on how to fight back?

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

S

Sergey, 2011-08-23
@bondbig

The easiest way is to parse the log and put the banlist in ipset.
You can buy a service from qrator or from Casper , for example.

I

itrabotnik, 2011-08-23
@itrabotnik

what structure do you have
nginx+php
nginx+apache+php?
instead of php, you can insert any other language.
Write, we will try to help

V

Vladimir Gorobets, 2011-08-23
@vladimir_gorobets

>nginx+apache+php
there is nothing to help, the hoster has disabled the VPS Until the attack stops :(

V

Vladimir Gorobets, 2011-08-23
@vladimir_gorobets

help write a script to add IP bots to iptables
there is a file with a list of IP. Each IP on a new line.
example

94.54.35.148
203.168.168.58
189.18.50.99
189.130.45.3
200.49.191.30
121.133.121.170

there is a script

#!/bin/bash

BANIP=`cat /usr/local/etc/ban/bot.log`

for ip in $BANIP
do
  echo 'iptables -I INPUT -p tcp -s  $ip --dport 80 -j DROP'
  if [ "$1" == "apply" ]; then
    /sbin/iptables -D INPUT -p tcp -s $ip --dport 80 -j DROP
    /sbin/iptables -I INPUT -p tcp -s $ip --dport 80 -j DROP
  fi
done

only due to the fact that after the IP there is a line break, it turns out not quite what you need:

--dport 80 -j DROPp tcp -s 200.2.141.115
 --dport 80 -j DROPp tcp -s 208.95.113.193
 --dport 80 -j DROPp tcp -s 59.52.94.233
 --dport 80 -j DROPp tcp -s 189.139.138.223