0

I am getting attacked, and my site is constantly receiving thousands of requests like this

GET /?HMPCL=INQUVOBHZ HTTP/1.1

I have mod-security installed, waf comodo and csf. Even mod-security blocks these and add in csf.deny ips are still managing to access the web server, and I have no idea how, they are blocked. What should i do to prevent this. I think this is some kind of FLOOD

I tried rebooting server, flushing csf, restarting csf, lfd, iptables, and no success.

I am desperate, my webserver is constantly crashing.

[root@luka ~]# iptables -S | grep 62.116.184.40
-A DENYIN -s 62.116.184.40/32 ! -i lo -j DROP
-A DENYOUT -d 62.116.184.40/32 ! -o lo -j LOGDROPOUT

[root@luka ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  ns3-coloc.hetzner.de  anywhere             tcp dpt:domain
ACCEPT     udp  --  ns3-coloc.hetzner.de  anywhere             udp dpt:domain
ACCEPT     tcp  --  ns3-coloc.hetzner.de  anywhere             tcp spt:domain
ACCEPT     udp  --  ns3-coloc.hetzner.de  anywhere             udp spt:domain
ACCEPT     tcp  --  ns2-coloc.hetzner.de  anywhere             tcp dpt:domain
ACCEPT     udp  --  ns2-coloc.hetzner.de  anywhere             udp dpt:domain
ACCEPT     tcp  --  ns2-coloc.hetzner.de  anywhere             tcp spt:domain
ACCEPT     udp  --  ns2-coloc.hetzner.de  anywhere             udp spt:domain
LOCALINPUT  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
INVALID    tcp  --  anywhere             anywhere
           tcp  --  anywhere             anywhere             tcp dpt:http state NEW recent: SET name: 80 side: source
PORTFLOOD  tcp  --  anywhere             anywhere             tcp dpt:http state NEW recent: UPDATE seconds: 5 hit_count: 20 name: 80 side: source
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:6216
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:imap
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:urd
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:submission
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:tsrmagt
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:tpcsrvr
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:idware-router
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:autodesk-nlm
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:infowave
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:radsec
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:gnunet
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:eli
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:nbx-ser
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:nbx-dir
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:24565
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:24566
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpts:60000:65000
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:irdmi
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:vcom-tunnel
ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:ftp-data
ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:ftp
ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:domain
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request limit: avg 1/sec burst 5
ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply limit: avg 1/sec burst 5
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
LOGDROPIN  all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             ns3-coloc.hetzner.de  tcp dpt:domain
ACCEPT     udp  --  anywhere             ns3-coloc.hetzner.de  udp dpt:domain
ACCEPT     tcp  --  anywhere             ns3-coloc.hetzner.de  tcp spt:domain
ACCEPT     udp  --  anywhere             ns3-coloc.hetzner.de  udp spt:domain
ACCEPT     tcp  --  anywhere             ns2-coloc.hetzner.de  tcp dpt:domain
ACCEPT     udp  --  anywhere             ns2-coloc.hetzner.de  udp dpt:domain
ACCEPT     tcp  --  anywhere             ns2-coloc.hetzner.de  tcp spt:domain
ACCEPT     udp  --  anywhere             ns2-coloc.hetzner.de  udp spt:domain
LOCALOUTPUT  all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:domain
ACCEPT     udp  --  anywhere             anywhere             udp spt:domain
ACCEPT     all  --  anywhere             anywhere
INVALID    tcp  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:6216
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:time
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:nicname
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:auth
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:submission
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:rsync
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:gnunet
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:eli
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:sep
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:sms-chat
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:24565
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:24566
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpts:60000:65000
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:irdmi
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:vcom-tunnel
ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:ftp-data
ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:ftp
ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:auth
ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:ntp
ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:rsync
ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:6277
ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:24441
ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
LOGDROPOUT  all  --  anywhere             anywhere

Chain ALLOWDYNIN (1 references)
target     prot opt source               destination
ACCEPT     all  --  212.178.246.86       anywhere
ACCEPT     all  --  173.249.178.212.adsl.dyn.beotel.net  anywhere

Chain ALLOWDYNOUT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             212.178.246.86
ACCEPT     all  --  anywhere             173.249.178.212.adsl.dyn.beotel.net

Chain ALLOWIN (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  secure.comodo.net    anywhere             tcp dpt:https
ACCEPT     tcp  --  secure.comodo.net    anywhere             tcp dpt:http
ACCEPT     tcp  --  secure.comodo.net    anywhere             tcp dpt:https
ACCEPT     tcp  --  secure.comodo.net    anywhere             tcp dpt:http
ACCEPT     tcp  --  no-dns-yet.ccanet.co.uk  anywhere             tcp dpt:https
ACCEPT     tcp  --  no-dns-yet.ccanet.co.uk  anywhere             tcp dpt:http
ACCEPT     tcp  --  no-dns-yet.ccanet.co.uk  anywhere             tcp dpt:https
ACCEPT     tcp  --  no-dns-yet.ccanet.co.uk  anywhere             tcp dpt:http
ACCEPT     all  --  212.178.244.42       anywhere

Chain ALLOWOUT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             212.178.244.42

Chain DENYIN (1 references)
target     prot opt source               destination
DROP       all  --  mail.lp-advogados.com  anywhere
DROP       all  --  oxid5.topconcepts.de  anywhere
DROP       all  --  93.188.164.24        anywhere
DROP       all  --  opus15.register.it   anywhere
DROP       all  --  lysander.instanthosting.com.au  anywhere

Chain DENYOUT (1 references)
target     prot opt source               destination
LOGDROPOUT  all  --  anywhere             mail.lp-advogados.com
LOGDROPOUT  all  --  anywhere             oxid5.topconcepts.de
LOGDROPOUT  all  --  anywhere             93.188.164.24
LOGDROPOUT  all  --  anywhere             opus15.register.it
LOGDROPOUT  all  --  anywhere             lysander.instanthosting.com.au

Chain INVALID (2 references)
target     prot opt source               destination
INVDROP    all  --  anywhere             anywhere             state INVALID
INVDROP    tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
INVDROP    tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
INVDROP    tcp  --  anywhere             anywhere             tcp flags:FIN,SYN/FIN,SYN
INVDROP    tcp  --  anywhere             anywhere             tcp flags:SYN,RST/SYN,RST
INVDROP    tcp  --  anywhere             anywhere             tcp flags:FIN,RST/FIN,RST
INVDROP    tcp  --  anywhere             anywhere             tcp flags:FIN,ACK/FIN
INVDROP    tcp  --  anywhere             anywhere             tcp flags:PSH,ACK/PSH
INVDROP    tcp  --  anywhere             anywhere             tcp flags:ACK,URG/URG
INVDROP    tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN state NEW

Chain INVDROP (10 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain LOCALINPUT (1 references)
target     prot opt source               destination
ALLOWDYNIN  all  --  anywhere             anywhere
ALLOWIN    all  --  anywhere             anywhere
DENYIN     all  --  anywhere             anywhere

Chain LOCALOUTPUT (1 references)
target     prot opt source               destination
ALLOWDYNOUT  all  --  anywhere             anywhere
ALLOWOUT   all  --  anywhere             anywhere
DENYOUT    all  --  anywhere             anywhere

Chain LOGDROPIN (1 references)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere             tcp dpt:telnet
DROP       udp  --  anywhere             anywhere             udp dpt:telnet
DROP       tcp  --  anywhere             anywhere             tcp dpt:bootps
DROP       udp  --  anywhere             anywhere             udp dpt:bootps
DROP       tcp  --  anywhere             anywhere             tcp dpt:bootpc
DROP       udp  --  anywhere             anywhere             udp dpt:bootpc
DROP       tcp  --  anywhere             anywhere             tcp dpt:sunrpc
DROP       udp  --  anywhere             anywhere             udp dpt:sunrpc
DROP       tcp  --  anywhere             anywhere             tcp dpt:auth
DROP       udp  --  anywhere             anywhere             udp dpt:auth
DROP       tcp  --  anywhere             anywhere             tcp dpts:epmap:netbios-ssn
DROP       udp  --  anywhere             anywhere             udp dpts:epmap:netbios-ssn
DROP       tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
DROP       udp  --  anywhere             anywhere             udp dpt:microsoft-ds
DROP       tcp  --  anywhere             anywhere             tcp dpt:isakmp
DROP       udp  --  anywhere             anywhere             udp dpt:isakmp
DROP       tcp  --  anywhere             anywhere             tcp dpt:login
DROP       udp  --  anywhere             anywhere             udp dpt:login
DROP       tcp  --  anywhere             anywhere             tcp dpt:efs
DROP       udp  --  anywhere             anywhere             udp dpt:efs
LOG        tcp  --  anywhere             anywhere             limit: avg 30/min burst 5 LOG level warning prefix "Firewall: *TCP_IN Blocked* "
LOG        udp  --  anywhere             anywhere             limit: avg 30/min burst 5 LOG level warning prefix "Firewall: *UDP_IN Blocked* "
LOG        icmp --  anywhere             anywhere             limit: avg 30/min burst 5 LOG level warning prefix "Firewall: *ICMP_IN Blocked* "
DROP       all  --  anywhere             anywhere

Chain LOGDROPOUT (6 references)
target     prot opt source               destination
LOG        tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 30/min burst 5 LOG level warning uid prefix "Firewall: *TCP_OUT Blocked* "
LOG        udp  --  anywhere             anywhere             limit: avg 30/min burst 5 LOG level warning uid prefix "Firewall: *UDP_OUT Blocked* "
LOG        icmp --  anywhere             anywhere             limit: avg 30/min burst 5 LOG level warning uid prefix "Firewall: *ICMP_OUT Blocked* "
DROP       all  --  anywhere             anywhere

Chain PORTFLOOD (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 30/min burst 5 LOG level warning prefix "Firewall: *Port Flood* "
DROP       all  --  anywhere             anywhere

When i check with csf -g

csf -g 62.116.184.40

Chain            num   pkts bytes target     prot opt in     out     source               destination

DENYIN           2        0     0 DROP       all  --  !lo    *       62.116.184.40        0.0.0.0/0

DENYOUT          2        0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            62.116.184.40


ip6tables:

Chain            num   pkts bytes target     prot opt in     out     source               destination
No matches found for 62.116.184.40 in ip6tables

csf.deny: 62.116.184.40 # lfd: (mod_security) mod_security (id:970901) triggered by 62.116.184.40 (DE/Germany/oxid5.topconcepts.de): 5 in the last 3600 secs - Thu Feb  9 04:26:53 2017

Ip is "blocked" but in apache

2-0 -   0/0/1   .   0.01    103 28139   0.0 0.00    0.00    62.116.184.40   http/1.1    mysite.rs:80    GET /?XZFSTJMSOK=SPZZNDNPS HTTP/1.1

Here is info from mod_security

Request:    GET /?TZSVUEJUU=JWJYEUW
Action Description: Access denied with redirection to http://www.example.com/ using status 302 (phase 4).
Justification:  Pattern match "^5\\d{2}$" at RESPONSE_STATUS.

How do i block requests that containing ^5\\d{2}$ in Apache?

NEW INFO:

Somehow i managed to perform this attack on my own, but this method i used is just sending get requests / without query string. And mod security detects and blocks me. So iptables must be working, but maybe it can't handle too much ip because apache is crashing so it can not count all. how to prevent apache from crashing

Luka
  • 375
  • 5
  • 21

2 Answers2

0

Quick and dirty, try rate limiting with iptables:

iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 100 -j DROP

Obviously you'll need to tune this. What is says is "allow TCP connections on port 80, but if 99 connections have occurred from the same source within a 60 second period, drop subsequent connections".

cerberus
  • 322
  • 3
  • 8
  • I already have rules in iptables, but why it's not blocking it, it's blocked but it pass through somehow, i am not using proxy – Luka Feb 09 '17 at 04:23
  • Hmm... can you post your iptables -L output (scrubbing addresses you want to keep private of course)? Is iptables running? Can you see if you can restrict all traffic except your IP? – cerberus Feb 09 '17 at 04:27
  • i posted it check – Luka Feb 09 '17 at 04:30
  • Looks like your deny rules aren't getting hit like your expecting since the INPUT chain allows any port 80 connection. As a quick solution before refactoring your chains, try blocking the bad IP address with a "iptables -I INPUT 1 {rule definition}" – cerberus Feb 09 '17 at 04:46
  • You must know I did not manually set any firewall rule, everything is csf. Im thinking about uninstalling it, flushing iptables and then installing csf again. Or do you have any solution to get this working normal and automatic way. I cant monitor server constantly, and it already detects attack and add ip to deny, i want deny list to work. – Luka Feb 09 '17 at 13:00
  • Unfortunately, without knowing your csf configurations, I would try reinstalling it... – cerberus Feb 09 '17 at 14:13
  • Please see my new edit about mod_security. I get pattern ^5\\d{2}$ But mod_security just gives ERROR or NOTICE and do not block :( how do i drop these – Luka Feb 09 '17 at 15:41
0

I managed to protect myself setting csf to following options:

CONNLIMIT = 80;5
CT_LIMIT = 20
CT_INTERVAL = 10
PORTFLOOD = 80;tcp;10;3,443;tcp;10;3

Also, i tuned apache (lowered settings) so it won't crash because of high memory usage. Also i switched MPM from prefork to EVENT. Another useful option in CSF is PT_USERKILL = On

THis is going to kill overloading process, these process used over 300MB so this worked for me without affecting normal operation.

NOw my sites are just a bit slower, but within 5 minute csf blocks it all. CONQUER !

Luka
  • 375
  • 5
  • 21