Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Re: Approaches against DDoS attacks?
Thanks. There’s an option in Cloudflare to add a rate limit that blocks, for example IPs, if a certain number of requests are sent in a certain time period to a particular url pattern and for a certain amount of time. That all happens before the request is sent to the actual server, so htaccess doesn’t apply yet.
Cloudflare’s free plan has some limitations, as far as I can tell, versus a paid plan. Firstly, you can only set one rate-limit rule. I only seem to be able to limit a single IP to {user-set-number} of requests in 10 seconds. That IP will then be blocked for 10 seconds. My attempts to set that rule hasn’t trapped any requests. Either I’ve set it wrongly (quite possible) or that happens because either:
- the many requests are spread across multiple IPs so that a single one doesn’t send so many requests in quick succession.
- my previous country-based / ASN-IP-Address Block filter had already blocked requests
I started with geographic (Singapore) blocking rule, then looked at the IPs and while they varied, Cloudflare showed that they all belong to Bytedance. They all share an AS Number which Cloudflare shows you. You can add a block rule per AS-N. so I did that and placed it before the geographic filter. It trapped pretty much everything.
TXP Builders – finely-crafted code, design and txp
Offline
Re: Approaches against DDoS attacks?
jakob wrote #342863:
I started with geographic (Singapore) blocking rule, then looked at the IPs and while they varied, Cloudflare showed that they all belong to Bytedance. They all share an AS Number which Cloudflare shows you. You can add a block rule per AS-N. so I did that and placed it before the geographic filter. It trapped pretty much everything.
If I am to judge from our recent experience, expect the attacks to last from 1 to 3 months:(
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Approaches against DDoS attacks?
I have another client now experiencing something similar, albeit at a smaller scale, and in a less sustained manner. Different client, different host, entirely different area of work. Enough to create intermittent 503s but not enough to bring the server to its knees.
The pattern of a concatenated chain of bona-fide URLs being requested and causing 404s is similar:
/section/123/article-name/section/456/other-article-name/section/789/and-so-onand the solution is similar, with most requests coming from a server group of Bytedance servers in Singapore with some also from China. Cloudflare has been effective so far even without activating the emergency button.
Have other people experienced this pattern of attack?
I ask because there are similarities in the setup of these two sites, and they are not typical Textpattern sites. I’ve checked that the sitemap and canonical urls are not producing wrong URLs, but otherwise I don’t know why these two sites should have suffered these attacks more than other more typical Textpattern installations.
TXP Builders – finely-crafted code, design and txp
Offline
#19 Today 08:16:08
Re: Approaches against DDoS attacks?
Another burst of over 5 hours overnight bringing it to 350,000 requests in the last 24 hrs. Nothing like the other attack on the other site from last month, which had that rate every 15 minutes, but still a mystery why.
Interestingly there’s a blip of increased server load after each main burst (marked by me with red circles). The blue line is what Cloudflare’s standard and my custom rules block, which are mostly server groups from Singapore and China. Looking at just those two sections, I see similar attack patterns from servers in other parts of the world – Brazil, Mexico, USA, Canada – which are probably involved or co-opted in the attack and thus were not targeted by my blocking rules. Presumably when the attack ebbs off, there’s a delay in relaying the “you can stop now” directive to the other servers.
TXP Builders – finely-crafted code, design and txp
Offline
#20 Today 14:50:01
Re: Approaches against DDoS attacks?
Out of interest, what’s the user agent in the log?
Offline
#21 Today 16:15:10
Re: Approaches against DDoS attacks?
gaekwad wrote #343118:
Out of interest, what’s the user agent in the log?
I can only sample some, but they seem to vary. Here’s a smattering from consecutive queries, all from different IPs that belong to the ASN 150436 – BYTEPLUS-AS-AP Byteplus Pte. Ltd.:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Mozilla/5.0 (Macintosh; Intel Mac OS X 13_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/180.1
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:{version}.0) Gecko/20100101 Firefox/135.0
Mozilla/5.0 (Linux; Android 13; Pixel 7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Mobile Safari/537.36
Mozilla/5.0 (Macintosh; Intel Mac OS X 13_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/260.1Sampling further down, the top one seems most common.
TXP Builders – finely-crafted code, design and txp
Offline
#22 Today 16:19:49
Offline