Too many bad bots killing website

Question

Everyday around 2-3pm, huge amounts of bots are coming to my website and they just kill it. Few days ago it was just 2-3 IPs so I could easily block it, but today more than 600 bots came and kept flooding my website for 3 hours straight. IPs were different, changing and from different parts of the world. 650 apache workers just could not handle it.

These bots are 100% suspicious, because they are reffering from really stupid/random URLs. For example:

209.141.61.45 - - [18/Apr/2019:19:37:03 +0200] "GET ***" 200 23611 "/mhrjh" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246"
195.176.3.19 - - [18/Apr/2019:19:37:03 +0200] "GET ***" 200 24330 "https://search.aol.com/search?q=sjhryp" "Mozilla/5.0 (Linux; Android 6.0.1; SM-G920V Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.36"
172.96.118.14 - - [18/Apr/2019:19:37:04 +0200] "GET ***" 200 22477 "https://yandex.ru/search/?izpyzuxwbn" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1"

Is there any way I can protect my server from this type of attack? So far, tried geoblocking, but it takes ages for all the foreign IP addresses to be added into iptables.

Cloudflare has free DDOS protection if you're looking for something like that. — RocketSEA, Apr 18 '19 at 20:18

score 1 · Answer 1 · answered Apr 18 '19 at 19:54

DDOS attacks are difficult to mitigate, as you've found (and this does at least appear to be that). You can use a service such as fail2ban to ban those IPs from connecting to the web server, and in a limited attack this may help. However, it takes a few repetitive requests to ban an IP, and that may be more requests than the webserver can handle in even that amount of time.

A good solution to this problem is using a CDN (content delivery network) to establish a cache for static content that doesn't need to touch your origin server in order to be served to clients. There are paid CDNs out there with many features, including DDOS protection by implementing that same banishment method in addition to other methods (though on a much larger network that can handle the initial spike).

However, a sustained and sufficiently diverse DDOS attack can turn what would have been website downtime into a large bill from your CDN provider if things are not addressed in time.

Fail2Ban is a good solution if the scale is right. I've had this problem in the past and an http-get-dos rule solved it. Rapid7 has a nice blog post on setting up fail2ban quickly if you're not familiar.[link here](https://blog.rapid7.com/2017/02/13/how-to-protect-ssh-and-apache-using-fail2ban-on-ubuntu-linux/) — Michael, Apr 18 '19 at 21:08

Too many bad bots killing website

1 Answers1