Over 200 requests per second from the same 5 IPs

Portal Home > Knowledgebase > Articles Database > Over 200 requests per second from the same 5 IPs

Posted by chasebug, 10-19-2009, 03:16 PM
I block them in htaccess but their repeated attacks is making my server load crazy. I installed AFP but it doesn't do anything, where do I set rules on automatic blocking?
Posted by Chris_M, 10-19-2009, 03:20 PM
If you know the IP's just do apf -d IP# for each and forget it.
Posted by CodyRo, 10-19-2009, 05:48 PM
Assuming it's Linux based:
Posted by TheServerExperts, 10-19-2009, 06:02 PM
Did you try dos deflate? http://deflate.medialayer.com
Posted by madaboutlinux, 10-19-2009, 06:05 PM
If the IPs are similar, block the IP using route: route add IPADDR reject where, IPADDR is the IP address of the attacker. 'reject' install a blocking route, which will force a route lookup to fail.
Posted by plumsauce, 10-19-2009, 08:10 PM
Have you traced back the ip addresses to find out who they belong to? Once you know who manages the ip blocks, you need some logs. Write to the abuse and noc addresses for the company who has been assigned those addresses. Explain briefly and accurately what is happening and that it is coming from machines within their ip space and ask them to please attend to it. They will probably ask for logs. It may take some days, but in most cases they will determine whether the source machine is compromised or run by a rogue operator and take the appropriate action.
Posted by adminpaul, 10-19-2009, 08:29 PM
Install csf + lfd and block the ip using the command csf -d
Posted by TailoredVPS, 10-19-2009, 08:45 PM
Yes, I would recommend using iptables as well.
Posted by chasebug, 10-20-2009, 02:46 AM
Using apf -d IP# to block IP now. Is iptable better and why is it better?
Posted by madaboutlinux, 10-20-2009, 03:06 AM
APF and CSF firewalls use iptables itself. These firewalls have made it easy to deal with blocking IPs on different criteria and various alerts for people those who are not use to with iptables.
Posted by BudWay, 10-20-2009, 09:08 AM
Install csf and use rate limiting to try to block/cease this.
Posted by inspiron, 10-20-2009, 09:22 AM
Yes, get install the csf firewall and try using the command given below, # csf -d IPaddress
Posted by eth00, 10-20-2009, 11:36 AM
If you do install either APF or CSF don't use the direct iptables commands, as soon as you restart the firewall (which happens daily) the rules will be lost. For just blocking the IP like you want either will be just fine. If properly setup apf -d or csf -d should be blocking it. If it is not then something is probably setup wrong or your kernel may not support all of the required iptables modules. I would also suggest contacting the abuse dept for those ips, that may help depending on what country they are in.
Posted by pfer, 10-20-2009, 04:13 PM
You might also want to throttle the ips lists.netfilter.org/pipermail/netfilter/2006-April/065456.html
Posted by CKGroup, 10-20-2009, 05:17 PM
I've alway's use the apf firewall on all 3 of my server's and it does a good job as Chris said apf -d iphere to block the the ddos'er
Posted by chasebug, 10-22-2009, 12:36 AM
I have CSF installed but I can't find the rate limiting, where is it?