Mitigate DDoS Proxy attack

Question

In last days my apache is being attacked by many connections from proxies. I've identified the source but could not block the attack effectively.

The attacker seems to be using pyloris or a variation of this to attack my apache on port 80.

I installed nginx and varnish but not enough to support the extra load.

I also added a rule in iptables to drop packets that contain the string "X-Forwarded-For" but does not block all the proxies.

Does anyone have a suggestion?

Hex · Accepted Answer · 2013-01-17T14:46:52.573

1

Usually pyloris attacks are utilised using TOR network. As first step I would suggest you to block ip addresses of TOR network and check if it helps at all.

Here is a list of TOR network's ip addresses

Let us know if it helps

edited Jan 17 '13 at 14:46

answered Jan 16 '13 at 10:48

Hex

1,939
10
17

Additionally, setting low timeouts in nginx and connlimits via iptables can help. – 89c3b1b8-b1ae-11e6-b842-48d705 Jan 16 '13 at 11:32
@tristan I set the nginx timeout to 3s and connlimit to 30/s but the problem is that the requests come from many different ips and all are proxies. – Digorp Jan 16 '13 at 12:17
@Hex It does not help much because most proxies are not those who are on this list. – Digorp Jan 16 '13 at 12:18
@Digorp what are some of the example 'proxies' that you're seeing? What scale of connections are you receiving? – 89c3b1b8-b1ae-11e6-b842-48d705 Jan 16 '13 at 12:24
@Digorp : Can you try the iptables rule I added to my answer? – Hex Jan 16 '13 at 12:26
@Hex Your rule above helped a lot. Now the server load is: load average: 6.07, 7.86, 12.04 – Digorp Jan 16 '13 at 13:15
@tristan Without Hex's rule: netstat -an |grep ":80" | wc -l 11363 With: netstat -an | grep ":80" | wc -l 2727 – Digorp Jan 16 '13 at 13:18
Without the above rule, the load goes up to 100+ and the server hangs. But anyway load 6.07 is a bit high. Guys, do you have more suggestions? – Digorp Jan 16 '13 at 13:22
Ok, there are some proxies that do not forward requests using exact "X-Forwarded-For" phrase. Use ngrep to check how other proxies are sending requests. – Hex Jan 16 '13 at 14:16
I have edited my answer, have a look at it. – Hex Jan 16 '13 at 14:29
@Digorp I was more getting at "what are the IPs of the remote hosts?" – 89c3b1b8-b1ae-11e6-b842-48d705 Jan 16 '13 at 15:38
@tristan here are some ips dropped by the Hex's rule [link](http://pastebin.com/m7p7DZsY) – Digorp Jan 16 '13 at 18:37
Another thing, as you should already know the ip address in x-forwarded-for flag is the ip of attacker. I would suggest you to report that ip to authorities. – Hex Jan 16 '13 at 23:01

Mitigate DDoS Proxy attack

1 Answers1