DDOS attack

Discussion of non-phpBB related topics with other phpBB.com users.
Forum rules
General Discussion is a bonus forum for discussion of non-phpBB related topics with other phpBB.com users. All site rules apply.
php90
Registered User
Posts: 16
Joined: Thu Jan 12, 2012 9:36 am

DDOS attack

Post by php90 »

Hello

my forum is under DDOS attack , I have millions ips attacking these 2 files

feed.php?mode=topics
app.php/feed?sid=ba475f23da67cf6756b20f13b927c366

which is the purpouse of these two files, can I remove these 2 files ?

thank you
Last edited by HiFiKabin on Sat Mar 18, 2023 11:11 am, edited 1 time in total.
Reason: Moved to General Discussion
emmzee7
Registered User
Posts: 5
Joined: Tue Oct 01, 2019 1:44 pm

Re: DDOS attack

Post by emmzee7 »

I may be having the same issue, CPU use on my server is insanely high, it's usually down around 0.5-1, now it's 10+.

It's definitely coming from the forum installation because when I renamed the directory (ex, renamed "forum" to "forumabcd") the load instantly started dropping. It's MySQL that's causing the CPU increase, the queries are (from the "mysqladmin proc status" command) like" SELECT COUNT(session_id) AS sessions FROM phpbb3_sessions WHERE session_user_id = 1 A" which appears to be truncated, and is coming from session.php line ~818.

My host is trying to figure out where these hits are coming from and block them, but anyone else who is experiencing this and has info to share would be appreciated!
User avatar
Pfizz
Registered User
Posts: 86
Joined: Tue Aug 10, 2021 9:39 am

Re: DDOS attack

Post by Pfizz »

Setup a free Cloudflare account, then proxy your site through Cloudflare (you will have to change your DNS to Cloudflare on your domain), and then put your Cloudflare account into "Attack Mode". That will stop the current DDOS attack and any prevent further ones in the future.
emmzee7
Registered User
Posts: 5
Joined: Tue Oct 01, 2019 1:44 pm

Re: DDOS attack

Post by emmzee7 »

I set up a Cloudflare account earlier this afternoon, with ddos protection, bot protection, etc, and even have firewall rules blocking access to the urls php90 mentioned, but still am getting hammered, seems like all it's doing is annoying any visitors trying to get to the website. No idea what else I can do?
User avatar
P_I
Community Team Member
Community Team Member
Posts: 2406
Joined: Tue Mar 01, 2011 8:35 pm
Location: Western Canada 🇨🇦

Re: DDOS attack

Post by P_I »

I have posted this a number of times here but the solution in Blocking aggressive Chinese crawlers/scrapers/bots - John Large .co.uk has worked very well for my boards.
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
emmzee7
Registered User
Posts: 5
Joined: Tue Oct 01, 2019 1:44 pm

Re: DDOS attack

Post by emmzee7 »

Thanks for that, I've added those rules in case it helps, although it doesn't seem like it's scraper/spiders in this case.
User avatar
Pfizz
Registered User
Posts: 86
Joined: Tue Aug 10, 2021 9:39 am

Re: DDOS attack

Post by Pfizz »

emmzee7 wrote: Fri Mar 17, 2023 10:09 pm I set up a Cloudflare account earlier this afternoon, with ddos protection, bot protection, etc, and even have firewall rules blocking access to the urls php90 mentioned, but still am getting hammered, seems like all it's doing is annoying any visitors trying to get to the website. No idea what else I can do?
We were getting hammered years ago by certain countries and certain user agents and we created firewall rules in Cloudflare to block them and that worked.

But eventually we just permanently enabled “under attack mode” on the dashboard in Cloudflare and that serves everyone a delay and possibly a captcha before they can get in. And now we have no problem anymore and we don’t need to micromanage the traffic anymore either. Surprised they are getting through still on your site though with under attack enabled.

First figure out the countries hitting you the hardest. Often it’s countries where it is easy to exploit university servers to conduct an orchestrated attack. Brazil and other large developing countries are usually the ones. Then you can create a Worker on Cloudflare and then by country create a redirect that sends every hit from that country to some link of your choice like back to Google. It will unfortunately block everyone from that country completely, but it will also stop the attacks from those countries. Then you can dial it back once the attacks have calmed down.

You can also redirect the traffic to a single HTML page that you create on another server which tells them to use a VPN to access your site from a certain country only that you don’t block. Then pick a country that you know they can’t launch an attack from. This will prevent the attackers from adapting to your Worker rules and it will also offer the false positives from a blocked country a way of still getting in.
emmzee7
Registered User
Posts: 5
Joined: Tue Oct 01, 2019 1:44 pm

Re: DDOS attack

Post by emmzee7 »

Thanks for your reply! In this case even with "I'm under attack!" mode on, it didn't help. :shock: :?

I did find this old forum post which describes the problem exactly:
viewtopic.php?t=2493956

TL;DR is that the bot / whatever keeps creating new sessions (in the sessions.php file I highlighted in my first post) which every time runs a query and slows the whole system down.

I tried blocking these via Cloudflare but can't figure out how to stop them; for now I set a session limit in PHPBB which effectively just shuts down the site so no more sessions can be created, until the attacks stop or I can figure out how to prevent this ...

Also in my case at least the attacks are all coming from the US so I can't just country block. :cry:
User avatar
therandomguyuser53
Registered User
Posts: 80
Joined: Wed Mar 01, 2023 9:18 am
Location: Cebu City, Philippines

Re: DDOS attack

Post by therandomguyuser53 »

what is your site i am curious what will it look like?
just use of developing Xampp ;)
Discord Server https://discord.gg/7WUv6r2B2U
my English is bread
don't tell me my board link i am using localhost i will have domain in the future
User avatar
Pfizz
Registered User
Posts: 86
Joined: Tue Aug 10, 2021 9:39 am

Re: DDOS attack

Post by Pfizz »

If they are flooding mysite.com/sessions.php with queries then create a firewall block rule for that particular URL in Cloudflare.

If they are flooding from a specific USA IP range then just create a firewall rule to block that IP range in Cloudflare.

Is there anything unique or some repetitive marker within the user agent string of the computers making the attack?

You can go to mysite.com/viewonline.php on your site and see the exact details about the user agent of each session on your site. If you can pull out a unique characteristic from the attacker’s user agent string then you can create a “user agent contains” firewall block rule in Cloudflare for that as as well.

The order of your firewall rules on Cloudflare also makes a big difference. You always want to have your most restrictive rules at the top of the list of rules. If you have a weaker rule at the top then the query could get through the top rule and onto your site before it hits the more restrictive rule below it.

Under Cloudflare security settings you also want Browser Integrity Check enabled and Privacy Pass Support disabled.

If you can’t stop the attack using Cloudflare then possibly something is not fully configured correctly in your Cloudflare account settings to mitigate attacks. You could post something in the Cloudflare forums too to see what else they might suggest.
Last edited by Pfizz on Sat Mar 18, 2023 9:12 am, edited 1 time in total.
User avatar
Pfizz
Registered User
Posts: 86
Joined: Tue Aug 10, 2021 9:39 am

Re: DDOS attack

Post by Pfizz »

P_I wrote: Fri Mar 17, 2023 10:15 pm I have posted this a number of times here but the solution in Blocking aggressive Chinese crawlers/scrapers/bots - John Large .co.uk has worked very well for my boards.
This is good, but it’s much better to place those block rules at a proxy server level (like Cloudflare) instead of in the .htaccess file because, with .htacess, your host server still gets hit directly with the query before it gets blocked. So better the proxy server takes the hit instead. And if there are a lot of these queries, and you are on a shared server with limited resources, then it could still potentially slow things down on your site.

I do block some things with .htaccess in case they somehow get through the proxy server, but .htaccess is only meant to work as a secondary backup firewall on our site.

Another thing to even avoid having to list out these user agents, if you are using Cloudflare, is to setup a firewall rule to allow “known bots” and then block all other bots. TBH, we really only want Google and Bing on our site anyway. And we also just block China on Cloudflare as a country too. I know not everyone will want to block China on their site, but a lot of traffic from China can be malicious and we have never had any useful traffic from China anyway, so it seems like no loss.
php90
Registered User
Posts: 16
Joined: Thu Jan 12, 2012 9:36 am

Re: DDOS attack

Post by php90 »

Thank you all for your replies however anyone can tell me why the attacker was using

feed.php and app.php

to stop the attack I chmoded 000 these two files and apparently the forum is working ok .
So which is the purpose of these two files, can I leave them with chmod 000 to avoid other attacks ?

Thank you
User avatar
JLA
Registered User
Posts: 617
Joined: Tue Nov 16, 2004 5:23 pm
Location: USA
Name: JLA FORUMS

Re: DDOS attack

Post by JLA »

Are you certain it is millions? Do you have some sort of stats to show this? Any reason someone would target your board?

Most DDOS type attacks on a phpbb board can be mitigated unless it is a big player specifically targeting you - then yes, you'll need some sort of outside support.
User avatar
[Dimetrodon]
Registered User
Posts: 442
Joined: Tue Aug 30, 2022 3:29 am
Location: Paleozoic Era

Re: DDOS attack

Post by [Dimetrodon] »

Do not delete app.php as it is needed for extensions and even native phpBB features to function.
php90
Registered User
Posts: 16
Joined: Thu Jan 12, 2012 9:36 am

Re: DDOS attack

Post by php90 »

[Dimetrodon] wrote: Sat Mar 18, 2023 8:23 pm Do not delete app.php as it is needed for extensions and even native phpBB features to function.
do you think a

chmod 770 app.php

is enough to run the forum correctly ?

Return to “General Discussion”