How do I respond to an attack against a webserver I run?

Post Reply
User avatar
Edge100x
Founder
Founder
Posts: 12945
https://www.youtube.com/channel/UC40BgXanDqOYoVCYFDSTfHA
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

How do I respond to an attack against a webserver I run?

Post by Edge100x »

If you run a webserver and it's suddenly swamped with clients loading the same page over and over, it's likely that you're being attacked, and this guide is for you.

If you run Apache on a Linux unmanaged VDS, start by looking at your webserver's "access_log". This is normally located in /var/log/apache2/access_log, but it could be somewhere else if you have configured it to be. Look for lines that show the same IP constantly re-requesting the same resource, like this:

Code: Select all

123.123.123.123 - - [10/Oct/2012:13:37:27 -0700] "GET /index.php HTTP/1.1" 200 - "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1"
123.123.123.123 - - [10/Oct/2012:13:37:27 -0700] "GET /index.php HTTP/1.1" 200 - "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1"
123.123.123.123 - - [10/Oct/2012:13:37:27 -0700] "GET /index.php HTTP/1.1" 200 - "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1"
123.123.123.123 - - [10/Oct/2012:13:37:27 -0700] "GET /index.php HTTP/1.1" 200 - "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1"
Legitimate clients don't behave like this. To block the attack and restore your site to its normal performance, you need to block the attacking IPs. You could do this through our "Firewall" page (in the control panel), but the number of rules that you can create there is limited, so it's better to block the IPs locally.

There are main two ways to block IPs at the network level that you've identified as malicious:
  1. With individual iptables rules. You could run a command like this to block the IP above, for instance:

    Code: Select all

    iptables -A INPUT -s 123.123.123.123.123 -j DROP
    You can also llist all the rules you've created:

    Code: Select all

    iptables --list-rules
    Or delete an existing block:

    Code: Select all

    iptables --delete INPUT -s 123.123.123.123.123 -j DROP
    Or delete all rules:

    Code: Select all

    iptables --flush
  2. With an "ipset" and single iptables rule. This is much more efficient for large numbers of IPs, and you should prefer this method if your Linux distribution includes support for it. To block the same IP with this method would involve these commands:

    Code: Select all

    ipset create blacklist hash:ip
    iptables -A INPUT -m set --match-set blacklist src -j DROP
    ipset add blacklist 123.123.123.123
    
    Adding new IPs later involves a single command for each one:

    Code: Select all

    ipset add blacklist the.new.ip.address
    To delete an IP from the hash:

    Code: Select all

    ipset del blacklist the.ip.to.delete
    To clear the hash completely:

    Code: Select all

    ipset flush blacklist
Post Reply