Simple Machines Community Forum

SMF Support => Server Performance and Configuration => Topic started by: pritimujumdar on February 07, 2017, 01:18:20 AM

Title: Protection against DDoS attacks (post requests)
Post by: pritimujumdar on February 07, 2017, 01:18:20 AM
Attack is periodically happening by plugging the input channel on the http (sending large post requests).

I disabled the post processing with nginx and it gives 405 Not Allowed error. But, apparently, the server receives the request body and only then nginx gives an error.

I sift through a list of bots on the logs and added IP in iptables.

1. How to limit the POST requests to the server at all did not take them (or as an option: take all that less than 4K)?

2. If the IP is blocked: iptables -A INPUT -s 1.2.3.4 -j DROP - I understand that there is no incoming traffic to the server from this ip right?

3. Thinking to automate: Someone tried to feed large (3-10 GB) http logs in fail2ban - whether it will ship the system? Of course, you can write suspicious requests to a separate log. But the attack style can be changed.
Title: Re: Protection against DDoS attacks (post requests)
Post by: Linkjay on February 07, 2017, 01:19:54 AM
CloudFlare (https://www.cloudflare.com/)
Title: Re: Protection against DDoS attacks (post requests)
Post by: Illori on February 07, 2017, 05:12:43 AM
are you actually using SMF?
Title: Re: Protection against DDoS attacks (post requests)
Post by: LiroyvH on February 07, 2017, 06:43:43 AM
The traffic will still reach the server, but iptables will discard any packets coming from that IP.
Title: Re: Protection against DDoS attacks (post requests)
Post by: pritimujumdar on February 15, 2017, 05:58:48 AM
The site is hosted on managed wordpress hosting from MilesWeb and it has cloudflare by default. Not able to understand how to fix this.
Title: Re: Protection against DDoS attacks (post requests)
Post by: LiroyvH on February 15, 2017, 10:00:40 AM
So block all incoming traffic to the HTTP(S) ports and only allow CloudFlare and perhaps your home IP to pass through?
It's a bit hard to tell you what to do since we don't know anything about your setup, and don't even know exactly what your problem is. Be more detailed. What's happening? Despite the 405 being thrown, do you still see high load or something? If not, why do you care much about the requests hitting your server - if they aren't being processed and don't cause a high load: you mitigated it. Or is the problem bandwidth consumption? What other steps have you taken to mitigate the effect of any such attack?

There's not enough details.
But if you have managed hosting anyway, why not simply ask your host to do this...? They're supposed to help you out if it's managed hosting.
Title: Re: Protection against DDoS attacks (post requests)
Post by: pritimujumdar on February 16, 2017, 03:11:49 AM
Thanks for your help! Communicated with the support department at milesweb.com and they have fixed the issue. I made some changes in permission on my vps which created the problem.

Thanks again
Title: Re: Protection against DDoS attacks (post requests)
Post by: sangilca on February 18, 2017, 06:16:49 PM
The free version of Cloudfare don't stop Ddos attacks.
Title: Re: Protection against DDoS attacks (post requests)
Post by: Linkjay on February 18, 2017, 07:52:09 PM
Quote from: sangilca on February 18, 2017, 06:16:49 PM
The free version of Cloudfare don't stop Ddos attacks.

Taken right off the CloudFlare site:
(https://uploads.linkjay1.com/image_16148746549332.png)

It says limited but will stop just about any attack thrown its way...
Title: Re: Protection against DDoS attacks (post requests)
Post by: sangilca on February 19, 2017, 01:30:48 PM
Quote from: Linkjay on February 18, 2017, 07:52:09 PM
Quote from: sangilca on February 18, 2017, 06:16:49 PM
The free version of Cloudfare don't stop Ddos attacks.

Taken right off the CloudFlare site:
(https://uploads.linkjay1.com/image_16148746549332.png)

It says limited but will stop just about any attack thrown its way...

IS says, I hope you don't have to try this, because his limited is the same as nothing.
Title: Re: Protection against DDoS attacks (post requests)
Post by: Linkjay on February 19, 2017, 07:08:18 PM
Quote from: sangilca on February 19, 2017, 01:30:48 PM
Quote from: Linkjay on February 18, 2017, 07:52:09 PM
Quote from: sangilca on February 18, 2017, 06:16:49 PM
The free version of Cloudfare don't stop Ddos attacks.

Taken right off the CloudFlare site:
[-snip-]https://uploads.linkjay1.com/image_16148746549332.png[/img]

It says limited but will stop just about any attack thrown its way...

IS says, I hope you don't have to try this, because his limited is the same as nothing.

I haven't had a single DDoS attack get through on my site ever since I have gotten on CloudFlare. I have tried stress tests in the past and none have gotten through. According to CloudFlare and hosting stats, I get a pretty decent amount of traffic, and people have tried in the past...

I don't understand where you're coming from or what proof you have that CF doesn't work fully, but I am interested in why you think CloudFlare isn't suitable.

I also want to state that both my sites are on the FREE version of CF.
Title: Re: Protection against DDoS attacks (post requests)
Post by: LiroyvH on February 19, 2017, 08:18:53 PM
If the IP of the site is already known (like OP), or is discovered, CloudFlare on its own is of no use at all to block a (D)DoS attack. Absolutely zero.
For pre-emptive measures or to put up right before you switch your site to a new IP: it can work, absolutely. (Indeed with limits on the free plan btw.)
For sites already under attack, it's usually useless (exception: the attacker has no clue what he/she is doing, or the sw is crap.) to switch to CF unless you also move it to another server/IP.
CloudFlare is quite easy to bypass with the default configuration that most people use, always pay attention to that as well. :)