Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Andrey Eskov2020-08-18 11:38:29
DDoS Protection
Andrey Eskov, 2020-08-18 11:38:29

How to deal with a DDOS attack on the site in the form of frequent POST requests to the main page?

Prompt methods of struggle against DDOS. For 2 days, the site puts a large number of POSTs on the main page for 2-3 hours.

access log

78.41.102.131 - - [18/Aug/2020:11:12:22 +0300 - 12.047] 499 "POST / HTTP/1.1" 0 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de-AT; rv:1.8a5) Gecko/20041122" "-"
78.41.102.131 - - [18/Aug/2020:11:12:22 +0300 - 7.671] 499 "POST / HTTP/1.1" 0 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de-AT; rv:1.8a5) Gecko/20041122" "-"
45.12.19.35 - - [18/Aug/2020:11:12:22 +0300 - 9.931] 499 "POST / HTTP/1.1" 0 "-" "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.47 Mobile Safari/537.36" "-"
46.29.192.139 - - [18/Aug/2020:11:12:22 +0300 - 3.596] 499 "POST / HTTP/1.1" 0 "-" "Mozilla/5.0 (X11; Linux i686; rv:10.0) Gecko/20100101 Firefox/10.0" "-"
46.29.192.139 - - [18/Aug/2020:11:12:22 +0300 - 3.491] 499 "POST / HTTP/1.1" 0 "-" "Mozilla/5.0 (X11; Linux i686; rv:10.0) Gecko/20100101 Firefox/10.0" "-"
31.44.12.16 - - [18/Aug/2020:11:12:22 +0300 - 12.179] 499 "POST / HTTP/1.1" 0 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; APCPMS=^N20160719104810771416F4BAA3227ADDE13F_13562^; Trident/7.0; rv:11.0) like Gecko" "-"
78.41.102.131 - - [18/Aug/2020:11:12:22 +0300 - 8.892] 499 "POST / HTTP/1.1" 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/10.0" "-"
78.41.102.131 - - [18/Aug/2020:11:12:22 +0300 - 7.437] 403 "POST / HTTP/1.1" 243 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/10.0" "-"
185.70.105.127 - - [18/Aug/2020:11:12:22 +0300 - 1.278] 499 "POST / HTTP/1.1" 0 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; APCPMS=^N20160719104810771416F4BAA3227ADDE13F_13562^; Trident/7.0; rv:11.0) like Gecko" "-"
178.35.230.10 - - [18/Aug/2020:11:12:22 +0300 - 10.146] 499 "POST / HTTP/1.1" 0 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060126" "-"



About 500,000 such requests in 1 hour. As you can see, some were weeded out by adding a POST block to .htaccess.

<Limit POST>
    Order Allow,Deny
    deny from all
</Limit>


But this did not help, not all calls fall from 403. And this does not help the site somewhat.
How to fight? By the way, I also tried inserting the entire file into Excel, taking all ip requests from which there were more than 100 and adding them to iptables, but it didn’t help either.

PS ------
Interesting facts
- In the logs I saw the constant presence of a bot that checked the availability of the site. ( https://uptimerobot.com/ )
- After any blocking action, the attack changed. They switched requests from POST to GET, changed the attacked address, and the ip pool was constantly replenished.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
K
Kirill Nesmeyanov, 2020-08-18
@taurus2790

Switch DNS to a free version of CloudFlare. Then you can go back if you want.

Similar questions
H
hax0r :32015-03-17 00:09:29
How to avoid a DDOS attack on a website? 1Reply
T
TRUEC0DER2021-03-31 19:52:17
DDoS protection directly on IP? 5Reply
E
Eva Ra2015-06-11 17:07:46
DDoS and the Internet of things - how relevant is the threat of DDoS attacks on household appliances and how to protect yourself from it? 3Reply
E
Eva Ra2015-06-17 16:34:03
Do tunnels make it easier to route traffic or make it more difficult...? 1Reply
W
WebDev2019-11-02 23:00:29
How do paid services from DDOS attacks work? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question