Blacklisting Traffic to a Destination URL

Ask questions about dedicated servers here and we and other users will do our best to answer them. Please also refer to the self-help section for tutorials and answers to the most commonly asked questions.
Post Reply
User avatar
sniperfodder
New to forums
New to forums
Posts: 12
https://www.youtube.com/channel/UC40BgXanDqOYoVCYFDSTfHA
Joined: Wed Nov 23, 2011 1:22 am

Blacklisting Traffic to a Destination URL

Post by sniperfodder »

Howdy!

Over the past year or so I've noticed low level dos attacks against my webserver running on my VDS. The majority of the attacks appear to be posts to http://www.silicateillusion.org/xmlrpc.php. I was wondering if there was a way to filter out all requests to xmlrpc.php using the firewall.

I don't think it's possible as from what I've read the url is HTTP level, and not TCP/IP Level. I noticed it was visible in one of the packets, but I'm guessing that is just a get request.

Code: Select all

08:02:52.196218 IP (tos 0x28, ttl 49, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    185.130.5.180.49313 > 74.91.120.231.80: Flags [R], cksum 0x1477 (correct), seq 3351416892, win 0, payload 0
	0x0000:  4528 0028 0000 4000 3106 c72f b982 05b4  E(.(..@.1../....
	0x0010:  4a5b 78e7 c0a1 0050 c7c2 903c 0000 0000  J[x....P...<....
	0x0020:  5004 0000 1477 0000                      P....w..
08:02:52.196229 IP (tos 0x28, ttl 49, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    185.130.5.180.49313 > 74.91.120.231.80: Flags [R], cksum 0x1477 (correct), seq 3351416892, win 0, payload 0
	0x0000:  4528 0028 0000 4000 3106 c72f b982 05b4  E(.(..@.1../....
	0x0010:  4a5b 78e7 c0a1 0050 c7c2 903c 0000 0000  J[x....P...<....
	0x0020:  5004 0000 1477 0000                      P....w..
    
    08:06:37.973330 IP (tos 0x28, ttl 50, id 32542, offset 0, flags [DF], proto TCP (6), length 60)
    185.130.5.180.51709 > 74.91.120.231.80: Flags [S], cksum 0xf781 (correct), seq 1771376060, win 14600, options [mss 1460,sackOK,TS val 3770380962 ecr 0,nop,wscale 7], payload 0
	0x0000:  4528 003c 7f1e 4000 3206 46fd b982 05b4  E(.<..@.2.F.....
	0x0010:  4a5b 78e7 c9fd 0050 6995 0dbc 0000 0000  J[x....Pi.......
	0x0020:  a002 3908 f781 0000 0204 05b4 0402 080a  ..9.............
	0x0030:  e0bb 72a2 0000 0000 0103 0307            ..r.........
    
    08:10:17.232397 IP (tos 0x0, ttl 49, id 6724, offset 0, flags [DF], proto TCP (6), length 60)
    185.130.5.180.50246 > 74.91.120.231.80: Flags [S], cksum 0x85eb (correct), seq 3303330122, win 14600, options [mss 1460,sackOK,TS val 3770600206 ecr 0,nop,wscale 7], payload 0
	0x0000:  4500 003c 1a44 4000 3106 acff b982 05b4  E..<.D@.1.......
	0x0010:  4a5b 78e7 c446 0050 c4e4 d14a 0000 0000  J[x..F.P...J....
	0x0020:  a002 3908 85eb 0000 0204 05b4 0402 080a  ..9.............
	0x0030:  e0be cb0e 0000 0000 0103 0307            ............
    
    08:10:17.362663 IP (tos 0x0, ttl 49, id 6726, offset 0, flags [DF], proto TCP (6), length 526)
    185.130.5.180.50246 > 74.91.120.231.80: Flags [P.], seq 1:475, ack 1, win 115, options [nop,nop,TS val 3770600336 ecr 51810377], length 474: HTTP, length: 474
	POST /xmlrpc.php HTTP/1.0
	Hos[!http]
	0x0000:  4500 020e 1a46 4000 3106 ab2b b982 05b4  E....F@.1..+....
	0x0010:  4a5b 78e7 c446 0050 c4e4 d14b 9488 f936  J[x..F.P...K...6
	0x0020:  8018 0073 4914 0000 0101 080a e0be cb90  ...sI...........
	0x0030:  0316 9049 504f 5354 202f 786d 6c72 7063  ...IPOST./xmlrpc
	0x0040:  2e70 6870 2048 5454 502f 312e 300d 0a48  .php.HTTP/1.0..H
	0x0050:  6f73
Right now I'm currently filtering by IP Range (e.g. 185.135.*.*), but I'd rather just block these automatically based upon the packets, but I'm not sure if there's any similarity between them.
[ILSN]SniperFodder
User avatar
soja
This is my homepage
This is my homepage
Posts: 2389
Joined: Fri May 18, 2012 3:20 pm

Re: Blacklisting Traffic to a Destination URL

Post by soja »

What do your web server access logs show?
Not a NFO employee
User avatar
sniperfodder
New to forums
New to forums
Posts: 12
Joined: Wed Nov 23, 2011 1:22 am

Re: Blacklisting Traffic to a Destination URL

Post by sniperfodder »

I have lines and lines of the following in my error log:

Code: Select all

[Tue Mar 08 07:17:36.722428 2016] [:error] [pid 3504:tid 920] [client 185.130.5.180:46655] PHP Deprecated:  Automatically populating $HTTP_RAW_POST_DATA is deprecated and will be removed in a future version.
	To avoid this warning set 'always_populate_raw_post_data' to '-1' in php.ini and use the php://input stream instead. in Unknown on line 0
And lines and lines of the following in the access log:

Code: Select all

185.130.5.180 - - [08/Mar/2016:07:17:35 -0600] "POST /xmlrpc.php HTTP/1.0" 200 370
The only reason the server is getting dos'd is because it generates massive log files (gigabytes in size) which causes out of memory errors and crashing. Since they are trying to exploit the xmlrpc.php file from wordpress, I'd like to just stop it at the firewall and completely block all connections to the server if anything tries posting to it. I don't take ping backs in my wordpress install anyways, so loosing access to it is not a big loss.

EDIT: Line wrapped the error log line
[ILSN]SniperFodder
Post Reply