I have a problem with a LAMP server where Apache keeps getting lots of request "POST / HTTP/1.1" but always from new IP addresses. Blocking the IPs using iptables obviously won't help. Any ideas how to block or even reduce this traffic? I cannot install a squid proxy or similar in front of Apache, nor can I install an external firewall. Do I have to contact the ISP where the server is hosted?
Asked
Active
Viewed 346 times
0
-
How is the DDOS hurting you? Is it maxing out CPU? Outbound network bandwidth? Inbound bandwidth? What is the connection rate? – David Schwartz Aug 19 '13 at 07:20
-
Above all, inbound bandwidth. CPU is okay. – bauer Aug 19 '13 at 07:21
-
Then you need to stop the traffic from being sent over your link. – David Schwartz Aug 19 '13 at 08:18
-
Yes, thanks, I will contact my isp and ask them for help. – bauer Aug 19 '13 at 09:02
1 Answers
0
As the title of your question implies, DDoS is a Distributed Denial of Services where the attack comes from different sources. The best chance you have at the moment is contact your Service Provider and explain the situation. On your side there are a few steps you could take to at least limit the cause of this DDoS attack. For more information what you could do, please see http://www.netfilter.org
Valentin Bajrami
- 3,870
- 1
- 17
- 25
-
All the things I've tried with iptables didn't work so far. For example, I've tried blocking the string "POST / HTTP/1.1" but this didn't work. I also tried putting entire ip blocks in there but there still just keep coming new IPs and besides, I've had complaints from a few people who got blocked because their IP was in the same range. – bauer Aug 19 '13 at 07:25
-
Blocking traffic based on strings isn't ideal in this particular case. The attack is initiated from different IP addresses which require a lot sockets to be opened by apache. There is a limit of open sockets apache handles and when the limit is reached it will just drop. What attack is it? Is it a syn flood ? – Valentin Bajrami Aug 19 '13 at 07:47
-
It's an application level attack. Lots of requests for "POST / HTTP/1.1". – bauer Aug 19 '13 at 07:54
-
@bauer `POST / HTTP/1.1` is the POST request header. It is predefined and returned when a post request is done on a web page. So attempting to limit the DDoS based on this string isn't the right way to go. Please refer to netfilter and apply the appropriate steps. – Valentin Bajrami Aug 19 '13 at 08:02
-
Do you mean the `POST / HTTP/1.1` is returned by the server? Surely it is generated by the user-agent in the first request, together with details about the virtual host, user-agent, content-length etc. But I have a feeling using netfilter is not ideal in this case. – bauer Aug 19 '13 at 08:55