DDOS attack

Discussion of non-phpBB related topics with other phpBB.com users.
Forum rules
General Discussion is a bonus forum for discussion of non-phpBB related topics with other phpBB.com users. All site rules apply.
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26455
Joined: Fri Aug 29, 2008 9:49 am

Re: DDOS attack

Post by Mick »

  • "The more connected we get the more alone we become" - Kyle Broflovski©
  • "The good news is hell is just the product of a morbid human imagination.
    The bad news is, whatever humans can imagine, they can usually create.
    " - Harmony Cobel
textkit
Registered User
Posts: 5
Joined: Sun May 10, 2020 9:54 pm

Re: DDOS attack

Post by textkit »

We were getting hammered by this. I suspect that it's a poorly implemented new search bot. Blocking the bot's custom user agent was enough to fix.
User avatar
P_I
Community Team Member
Community Team Member
Posts: 2344
Joined: Tue Mar 01, 2011 8:35 pm
Location: Western Canada 🇨🇦
Contact:

Re: DDOS attack

Post by P_I »

textkit wrote: Sun Mar 19, 2023 11:48 am We were getting hammered by this. I suspect that it's a poorly implemented new search bot. Blocking the bot's custom user agent was enough to fix.
To help others could you share the user-agent that was causing the problems and how you blocked it.
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
exxos
Registered User
Posts: 124
Joined: Fri Sep 10, 2010 12:37 pm

Re: DDOS attack

Post by exxos »

Same problem on my server.

https://exxosforum.co.uk/forum/viewtopi ... 114&t=6182

The offending IPs today are these.

Code: Select all

54.151.36.231
54.153.6.129
54.153.93.94
54.176.48.83
54.176.94.197
54.177.178.14
54.177.39.219
54.183.144.10
54.183.166.109
54.183.225.109
54.183.247.91
54.193.189.188
54.193.220.19
54.193.76.168
54.198.175.129
54.202.126.67
54.215.223.163
54.215.93.15
54.219.129.132
54.219.168.168
54.219.26.211
54.219.62.104
54.67.114.231
54.67.123.108
54.67.18.72
54.67.59.208
34.220.21.228
52.26.166.208
54.190.167.123
34.220.66.220
54.219.83.224
54.198.189.60
54.193.155.136
54.241.218.125
13.56.249.197
yesterday:

Code: Select all

3.82.143.228
3.83.83.99
3.83.97.232
3.83.140.249
3.83.142.184
3.83.176.144
3.84.148.1
3.85.165.14
3.86.23.4
3.86.98.217
3.86.163.247
3.87.24.1
3.87.44.252
3.87.193.35
3.87.217.177
3.88.8.40
3.91.180.111
3.92.226.106
18.204.17.216
18.212.7.243
34.201.46.66
34.207.129.242
34.230.38.26
34.238.51.156
34.238.52.110
34.238.53.191
34.239.127.61
35.171.160.204
35.173.233.104
35.174.113.155
35.175.244.229
44.201.195.188
44.201.206.44
44.201.206.104
44.202.67.240
44.202.231.238
44.203.193.229
44.204.11.183
44.204.18.189
44.204.34.89
44.204.56.127
44.204.71.109
44.204.92.192
44.204.150.68
44.204.171.180
44.204.192.97
44.206.228.216
44.208.23.40
44.210.130.108
44.211.127.193
44.211.152.25
44.212.75.53
52.23.228.217
52.70.149.73
52.87.241.16
52.90.83.75
52.91.200.40
52.207.239.155
54.88.95.94
54.89.242.118
54.147.124.252
54.152.227.58
54.157.41.163
54.160.7.218
54.166.109.84
54.172.213.72
54.174.247.108
54.175.160.203
54.196.82.247
54.204.108.69
54.205.36.117
54.205.94.222
54.211.145.240
54.243.7.168
100.26.195.119
100.26.206.191
184.72.194.146
The attack comes from "OKHTTP" https://square.github.io/okhttp/
User avatar
Noxwizard
Support Team Leader
Support Team Leader
Posts: 10550
Joined: Mon Jun 27, 2005 8:41 pm
Location: Texas, USA
Name: Patrick Webster
Contact:

Re: DDOS attack

Post by Noxwizard »

Those IPs belong to Amazon EC2. You should reach out to their abuse address ([email protected]) with those IP addresses and timestamps. Whether they'll do anything about that customer is another story.

We had this User Agent hit our servers several days ago and we ended up blocking it on our load balancers.
[Support Template] - [Read Before Posting] - [phpBB Knowledge Base]
Do not contact me for private support, please share the question in our forums.
textkit
Registered User
Posts: 5
Joined: Sun May 10, 2020 9:54 pm

Re: DDOS attack

Post by textkit »

P_I wrote: Sun Mar 19, 2023 11:56 am
textkit wrote: Sun Mar 19, 2023 11:48 am We were getting hammered by this. I suspect that it's a poorly implemented new search bot. Blocking the bot's custom user agent was enough to fix.
To help others could you share the user-agent that was causing the problems and how you blocked it.
I had the following code hanging around from a previous issue. I uncommented it and added okhttp, taking care of the problem.

I do need to cull this list if I am going to continue using it. We have a number of foreign language users and I see some search engine bots here (ie., bingbot and YandexBot) that are relied on by many people. Probably all that is needed to filter this badly behaved bot is okhttp.

An actual malicious attack would lie in the user agent string and could not be handled with a simple mechanism like this.

Make sure that mod_rewrite is enabled in your apache config if you are going to use this.

Code: Select all

RewriteEngine on
RewriteCond %{QUERY_STRING} .
RewriteCond %{HTTP_USER_AGENT} 11A465|Ahrefs|ArchiveBot|AspiegelBot|Baiduspider|bingbot|BLEXBot|Bytespider|CCBot|Curebot|Daum|Detectify|DotBot|Grapeshot|heritrix|Kinza|LieBaoFast|Linguee|LMY47V|MauiBot|Mb2345Browser|MegaIndex|MicroMessenger|MJ12bot|MQQBrowser|PageFreezer|PiplBot|Riddler|Screaming.Frog|Search365bot|SearchBlox|Seekport|SemanticScholarBot|SemrushBot|SEOkicks|serpstatbot|Siteimprove.com|Sogou.web.spider|trendictionbot|TurnitinBot|UCBrowser|weborama-fetcher|Vagabondo|VelenPublicWebCrawler|YandexBot|YisouSpider|Facebot|Twitterbot|Amazonbot|neevabot|okhttp [NC]
RewriteRule ^.* - [F,L]
StephenSegari
Registered User
Posts: 3
Joined: Mon Apr 06, 2015 3:52 pm

Re: DDOS attack

Post by StephenSegari »

Thought I would contribute. My forum with about 120k views a month experienced the same DDoS attack last week on 2 different occasions. The first originated in India, the second from an Amazon EC2 instance in California.

What they did was HAMMER app.php, to the tune of at least 20 requests per second. I could tail my NGINX logs and see the requests come through. Unfortunately, when this file is requested, a new session is created. or an existing is requested. Either of these involves a database lookup. And that's where the DDos comes in. At some point, the database server cannot handle the massive number of connections and queries, and it either stops responding, or takes VERY LONG to respond to a request, if at all.

Thankfully, my database was running on its own server. But even MORE IMPORTANT, I already had my site proxied through CloudFlare, something which I recommend EVERYONE should do.

Mitigating the attack was SUPER EASY, and only took a few minutes in CloudFlare.

1. Security -> Settings
Change mode to "I'm Under Attack".
Choose Challenge Passage. I picked 1 day, as I didn't want to bombard my regular users with the extra constantly.
Enable "Browser Integrity Check" and "Privacy Pass Support". This will at least make the site for your regular visitors more tolerable while under attack.

2. Security -> WAF

Rate Limiting
- URI Path contains "app.php"
- Block (Default Cloudflare rate limiting response)
- Block for Duration: 10 seconds
- When rate exceeds 3 requests per 10 seconds
- With the Same IP



The number of requests can be played with. You want to have a number where the casual visitor to your site won't be denied on every page view, but where the excessive requests will be blocked. I found 3 worked great for me, as the average visitor to my site didn't request more than 3 page views in a 10 second time frame.

The Rate Limiting will really do the trick. They can keep attacking, but thanks to CloudFlare, those requests won't ever reach/flood your server. Once things have settled down, bump down the Security Setting to High or Medium, and leave it there. This should really allow most if not all of your normal/legit traffic to remain unaffected.

Hope this helps!
User avatar
Lumpy Burgertushie
Registered User
Posts: 69223
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: DDOS attack

Post by Lumpy Burgertushie »

app.php like almost all of the php files should be chmod 644

roberrt
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5850
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: DDOS attack

Post by thecoalman »

Noxwizard wrote: Sun Mar 19, 2023 9:54 pm Those IPs belong to Amazon EC2. You should reach out to their abuse address ([email protected]) with those IP addresses and timestamps. Whether they'll do anything about that customer is another story.
With Cloudflare you can actually block AWS's entire range using single NAT rule. One thing to be aware of when using such rules is it's a sledgehammer. DuckDuckGO uses AWS and you'll blocking them if you don't whitelist their IP's.

-------------------

Couple of notes on CF assuming it's a real DDOS attack and not some bots running amok. To fully utilize their DDOS protection you must protect the origin IP. Ports 80 and 443 should be firewalled on the server while whitelisting CF IP's. You also need to eliminate anything else that can expose the IP, for example email needs to be sent through a different IP. The remote avatar download in phpBB is something else that can expose it.

If you can't keep the origin IP private the proxy service from CF is useless when you have determined attacker
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
Post Reply

Return to “General Discussion”