InterServer Have DDos Flood Protection?

Quags

Administrator
Staff member
DOS protection is not our niche. So if you are regularly getting a DOS attack, find out the size of the attack. If it does not exceed your port speed then nginx and a combination software firewall will be able to stop the attack (freebsd + pf firewall is best). If it does exceed your port speed then check into cloudflare.com to add protection to your site. We are able to block some floods on our end with our null routing, but if it is large enough your ip may be null routed.
 

Quags

Administrator
Staff member
Honestly depends on the flood type. If I were to give an estimate if the flood is not a randomized port, spoofed IP flood, up to 2 gbps can probably be blocked with your server online. If the flood is large enough, the source IP is likely to be null routed, if other clients/servers are being affected.

Again if the flood is lower than the port size, freebsd + pf firewall on its own will be able to block the flood in most cases, and on linux nginx (for a flood to the webserve) as a reverse proxy.
 

hrudy

New Member
Quags-- Could you elaborate on your comment? I was also a victim of a DDOS . I am running Centos on a VPS. So you are recommending running nginx to replace apache or running it as a reverse proxy in tandem with apache? This is a wordpress site so running it on nginx is no problem. Are there any settings we should tweak to mitigate DDOS attacks?
 

Quags

Administrator
Staff member
A single site that tends to attract dos attacks, you can consider cloudflare.com as a reverse proxy for your website. They also are running nginx, and provide a caching/cdn service that is free for the basic plan, with no ssl.
 

hrudy

New Member
FWIW I was able to fix my problem with a combination of cloudflare (free) and apache mod_security. I also blocked all incoming IPs except those from cloudflare.
 

Ryan Maxey

Member
Few things, I have a bit of experience in this field.
1) CloudFlare works, but it only acts upon port 80. If the person DDoS attacking your site is knowledgeable at all, they know that mail source IPs are revealed in mail headers. So, basically if someone registers, views mail source, they have your IP. There are several other ways, for example if your site software allows external URLs.

2) CloudFlare free plan will only withstand 5 GBPS attacks. If the attack is more than that, CloudFlare will turn your sites reverse proxy off, thus exposing your server IP. It stays suspended for around 5 days, as I remember.

3) If the DDoS attack is targeted on the IP of your site, and it exceeds your port speed, nothing can really be done to stop it short of a hardware solution.

Also, your the web server you're running only matters if it's a layer 7 DoS attack.
 
thank you ryan - please forgive my amateurish terminology. i am getting hit with requests to my wordpress wp-login.php files - and when i get thousands of them in a minute it all but shuts down my server. this is probably not technically a DoS attack at all. the virtualmin people recommend using mod_qos. but naturally i will accept any other thoughts or opinions, so long as those thoughts and opinions agree with me (kidding)
 

Ryan Maxey

Member
thank you ryan - please forgive my amateurish terminology. i am getting hit with requests to my wordpress wp-login.php files - and when i get thousands of them in a minute it all but shuts down my server. this is probably not technically a DoS attack at all. the virtualmin people recommend using mod_qos. but naturally i will accept any other thoughts or opinions, so long as those thoughts and opinions agree with me (kidding)
That is a DDoS/DoS attack. DDoS is just more than one machine, DoS being a single source. Yes, as long as it's on port 80 (HTTP) it'll help. Throttling connections per IP will also help. I'd recommend looking into getting CSF Firewall.
 

Quags

Administrator
Staff member
If you see

POST /wp-login.php HTTP/1.0

and in logs:
– - [13/Aug/2013:13:35:07 -0400] “POST /wp-login.php HTTP/1.0″

Notice all http/1.0 – thanks for making it easy. Dropped with a .htaccess


Code:
RewriteEngine On
RewriteCond %{SERVER_PROTOCOL} ^(HTTP/1.0)
RewriteCond %{REQUEST_URI} ^/wp-login.php$
RewriteRule .* - [R=406]
 
thanks ryan - since i am having a crap day, how does one throttle connections via IP ? sorry but i am too lazy to look it up now.

i have CSF firewall - the problem there is that my deny file is filling up with IP numbers that i will probably never see again.
 

Ryan Maxey

Member
thanks ryan - since i am having a crap day, how does one throttle connections via IP ? sorry but i am too lazy to look it up now.

i have CSF firewall - the problem there is that my deny file is filling up with IP numbers that i will probably never see again.
Yes, that's normal. If you believe that you might see them, I'd add them to a server deny list for Apache. You can throttle clients with CSF, or a tool like DoS deflate.
deflate.medialayer.com
 
You can throttle clients with CSF
ryan - i dont see anything on throttling using CSF and a google-search didnt turn anything up. do you have any more information on this? i am using CSF 6.33 which i believe is the latest one.
 

Quags

Administrator
Staff member
csf has synflood protection (which can throttle)

but if wp-login.php is getting hit, check that .htaccess rule above
 
hey john - i saw that, thank you - but i had two questions:

1) not all of my "attacks" are 1.0 -- i see many HTTP/1.1

2) would that approach block all 1.0 attempts?


on your suggestion, i just changed csf.conf to:

SYNFLOOD = "1"
#SYNFLOOD_RATE = "100/s" changed by mark 2013-08-28
SYNFLOOD_RATE = "50/s"
SYNFLOOD_BURST = "150"
and i restarted the firewall. any thoughts, suggestions, marriage proposals, or concerns?
 
Last edited:

Ryan Maxey

Member
CloudFlare may actually really help you. You can block countries from CloudFlare, and put your security on high which still most likely stop the bad visitors.
 

Quags

Administrator
Staff member
The .htaccess blocks http 1.0 to wp-login, a common brute force attempt I see

But yes it would allow http1.0

If only your IP should access wp-login.php a .htaccss file match like

Code:
<Files wp-login.php>
order allow,deny
allow from your.ip
deny from all
</Files>
 
ryan - i am a HUGE fan of clouDNS and use it extensively. from what little i know about cloudflair it sounds as if that would replace clouDNS.

john - my wp-login.php attempts come from many different places since i am running multiuser-wordpress.

both - so what do you think of my SYNFLOOD settings? this is the first i have heard of it, but it looks very promising.

really, all i need is a way to slow down repeated requests. and all my WP sites have double-captcha to slow down these bad guys!
 
Top