Answer the question
In order to leave comments, you need to log in
V
V
Vitaly2021-03-23 16:16:04
Vitaly, 2021-03-23 16:16:04
How to protect yourself from a DDOS attack with the same type of requests to non-existent files?
Good afternoon.
Faced an attack on the site with the same type of requests to non-existent files, mainly jpg.
The attack lasts 24/7 at about 50 requests per second, the attacker's ip changes about once every 3 days.
log
2021/03/23 15:18:24 [error] 5826#0: *240820 access forbidden by rule, client: 37.45.11.152, server: _, request: "GET /upload/iblock/a59/a59dcbc6d7eebb9cd31cc496a971599f.JPG) HTTP/1.1", host: "my-host"
2021/03/23 15:18:24 [error] 5821#0: *241241 access forbidden by rule, client: 37.45.11.152, server: _, request: "GET /upload/iblock/dc8/dc886ef256fa821311c355a63f9f3913.JPG) HTTP/1.1", host: "my-host"
2021/03/23 15:18:24 [error] 5826#0: *240820 access forbidden by rule, client: 37.45.11.152, server: _, request: "GET /upload/iblock/a59/a59dcbc6d7eebb9cd31cc496a971599f.JPG) HTTP/1.1", host: "my-host"
2021/03/23 15:18:24 [error] 5826#0: *240820 access forbidden by rule, client: 37.45.11.152, server: _, request: "GET /upload/iblock/a59/a59dcbc6d7eebb9cd31cc496a971599f.JPG) HTTP/1.1", host: "my-host"
2021/03/23 15:18:24 [error] 5821#0: *241241 access forbidden by rule, client: 37.45.11.152, server: _, request: "GET /upload/iblock/dc8/dc886ef256fa821311c355a63f9f3913.JPG) HTTP/1.1", host: "my-host"
2021/03/23 15:18:24 [error] 5826#0: *240820 access forbidden by rule, client: 37.45.11.152, server: _, request: "GET /upload/iblock/a59/a59dcbc6d7eebb9cd31cc496a971599f.JPG) HTTP/1.1", host: "my-host"
Website on VDS 4CPU 12RAM, traffic 350K/month.
For my part, I did:
on the nginx side, ban ip,
set "limit_req_zone" limits for several locations.
But, this is not a solution to the problem?
Are resources being consumed to process requests even though it gets a 403 response?
Files access.log and error.log to 200MB per day, write 50 lines per second.
How to reduce the load on the server?
How to protect yourself from such attacks?
6 answer(s)
@SignFinder
@Zettabyte
% Abuse contact for '37.45.0.0 - 37.45.63.255' is
And taking into account the fact that the union state, think about contacting the authorities, at least virtual, through some form. Indicate that an Internet attacker is sitting. I do not rule out that, given the turbulence of the times, they may become interested in a potentially harmful character.
Log, as mentioned above, do not delete, but copy somewhere - it can come in handy if you go this way.
@ky0
@AUser0
@shambler81
A
Alexey Dmitriev, 2021-03-23 @SignFinder
fail2ban and you need to ban in the firewall, not in nginx
Have you tried google at all?
A bunch of instructions on the net for the request "ddos iptables"
Z
Zettabyte, 2021-03-23 @Zettabyte
client: 37.45.11.152
How to protect yourself from such attacks?
% Abuse contact for '37.45.0.0 - 37.45.63.255' is
lir [собака] belpak [.] byAnd taking into account the fact that the union state, think about contacting the authorities, at least virtual, through some form. Indicate that an Internet attacker is sitting. I do not rule out that, given the turbulence of the times, they may become interested in a potentially harmful character.
Log, as mentioned above, do not delete, but copy somewhere - it can come in handy if you go this way.
K
ky0, 2021-03-23 @ky0
And what is the applied result of the attack you describe? Nginx, even on minimal hardware, can return 404 errors much faster than 50 rps. Disable logging of 404 responses and, as advised above, enable fail2ban.
IMHO, this can’t even be called an attack - so, pampering ...
A
AUser0, 2021-03-23 @AUser0
Ban by IP:
iptables -I INPUT -s 37.45.11.152 -j DROP
Removing a block:
iptabled -D INPUT -s 37.45.11.152
V
Viktor Taran, 2021-03-23 @shambler81
50 files per second - do you think this is an attack?
don't make fun of more files on your page.
Do you have Bitrix vm? if yes then vm version
Similar questions
A
U
N
S
A
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question