0

We've been having trouble recently with a DOS attack on our main website, which is run using Apache httpd 2.2.9 and Drupal 6.35. The attack is a post to Dupal's xmlrpc.php, which is a known exploit which has been patched in recent versions of Drupal. Because it's an older version, however, the fix for the exploit isn't in our Drupal installation - and won't be because we're migrating to a hosted platform within three months.

I initially tried to counteract the DOS by renaming xmlrpc.php, which returns a 404, but that's still enough to create an apache thread for each post The result is the multiple threads combined consume a lot of memory, so there's still a problem.

So, based on some more googling, I've just modified .htaccess with the following:

<Files "xmlrpc.php">
Order Allow,Deny
deny from all
</Files>

From here on, presumably, there will no longer be an httpd thread created for each call.

Is this sufficient, do you think? I could go one step further by enabling the capability to track traffic on the VPC and find and block the originating IP address/es, but I don't know if that will be effective, because thee attacks may be coming from a bunch of hijacked systems. Although I am curious to find out. Any thoughts?

Flup
  • 7,688
  • 1
  • 31
  • 43
Jack BeNimble
  • 184
  • 9
  • If you find that Apache isn't sufficient to filter the abusive connections then you could try putting a varnish instance in front of it that's configured to reject all such requests. – Flup Apr 13 '16 at 14:36
  • I would be a bit reluctant to try that - all of our critical traffic goes through Apache. The main website isn't the most important one. Btw, how did you get the brackets to post? – Jack BeNimble Apr 13 '16 at 14:46
  • Fair enough -- of course it's a risk to introduce another layer. As for the brackets, I just typed them in :) – Flup Apr 13 '16 at 14:47
  • Strange - anything in brackets disappeared from my post, including the brackets. I highlight and hit control+k, but I think I tried it without that and it still didn't work. – Jack BeNimble Apr 13 '16 at 14:57

1 Answers1

2

A Deny block still requires apache to process the request far enough to see that it matches a deny, and is most likely equal in 'cost' as a 404.

You say 'DOS' but do you mean an actual attack or is it random scanners? Random scanners don't normally drive enough traffic to make 404's/403's for those a problem.

Is this behind an ELB? If not you should be able to see the source addresses in the access logs. You could look at implementing a tool like Fail2Ban to watch for this pattern and put in a temporary iptables rule to block access to that IP for a period of time.

If it is behind an ELB you could do something similar except write a custom shim to operate against the VPC subnet ACL's that contain the ELB.

Jason Martin
  • 4,865
  • 15
  • 24
  • It's definitely an attack - it's hitting the site with many hits per second, maybe 400k per day. This is a very low traffic site otherwise and not equipped to handle the attack. It was enough to make our servers inaccessible. Good info on the 404 still taking resource. But at this point it's not knocking out the servers. Tried the ELB log but it just shows the LAN address of the VPC (I think). But there's some kind of Amazon "Flow" that allows you to monitor the VPC traffic, so I'll try that next.Also, I plan to double server memory (at least). – Jack BeNimble Apr 13 '16 at 19:27
  • If you mean Apache access logs then yes you'll only see the ELB IP. You could start logging the X-Forwarded-For header to get the remote IP (keeping in mind you can only trust the value immediately before the ELB as anyone can extend the header). You can also turn on ELB access logging to S3 to find the source address. VPC Flow logs will also get this for you but are going to be very verbose. – Jason Martin Apr 13 '16 at 22:36
  • Does the X-Forwarded-For header require a program change? The ELB logs seemed to have internal addresses except from my ssh connection. I've turned on the VPC logs but since the attack isn't currently ongoing, I don't know if it'll be effective. – Jack BeNimble Apr 14 '16 at 00:54
  • http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/x-forwarded-headers.html describes the headers. You may have to modify your logging config to display them. – Jason Martin Apr 16 '16 at 17:34