Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Re: Approaches against DDoS attacks?
Thanks. There’s an option in Cloudflare to add a rate limit that blocks, for example IPs, if a certain number of requests are sent in a certain time period to a particular url pattern and for a certain amount of time. That all happens before the request is sent to the actual server, so htaccess doesn’t apply yet.
Cloudflare’s free plan has some limitations, as far as I can tell, versus a paid plan. Firstly, you can only set one rate-limit rule. I only seem to be able to limit a single IP to {user-set-number} of requests in 10 seconds. That IP will then be blocked for 10 seconds. My attempts to set that rule hasn’t trapped any requests. Either I’ve set it wrongly (quite possible) or that happens because either:
- the many requests are spread across multiple IPs so that a single one doesn’t send so many requests in quick succession.
- my previous country-based / ASN-IP-Address Block filter had already blocked requests
I started with geographic (Singapore) blocking rule, then looked at the IPs and while they varied, Cloudflare showed that they all belong to Bytedance. They all share an AS Number which Cloudflare shows you. You can add a block rule per AS-N. so I did that and placed it before the geographic filter. It trapped pretty much everything.
TXP Builders – finely-crafted code, design and txp
Offline
Re: Approaches against DDoS attacks?
jakob wrote #342863:
I started with geographic (Singapore) blocking rule, then looked at the IPs and while they varied, Cloudflare showed that they all belong to Bytedance. They all share an AS Number which Cloudflare shows you. You can add a block rule per AS-N. so I did that and placed it before the geographic filter. It trapped pretty much everything.
If I am to judge from our recent experience, expect the attacks to last from 1 to 3 months:(
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Approaches against DDoS attacks?
I have another client now experiencing something similar, albeit at a smaller scale, and in a less sustained manner. Different client, different host, entirely different area of work. Enough to create intermittent 503s but not enough to bring the server to its knees.
The pattern of a concatenated chain of bona-fide URLs being requested and causing 404s is similar:
/section/123/article-name/section/456/other-article-name/section/789/and-so-onand the solution is similar, with most requests coming from a server group of Bytedance servers in Singapore with some also from China. Cloudflare has been effective so far even without activating the emergency button.
Have other people experienced this pattern of attack?
I ask because there are similarities in the setup of these two sites, and they are not typical Textpattern sites. I’ve checked that the sitemap and canonical urls are not producing wrong URLs, but otherwise I don’t know why these two sites should have suffered these attacks more than other more typical Textpattern installations.
TXP Builders – finely-crafted code, design and txp
Offline
Re: Approaches against DDoS attacks?
Another burst of over 5 hours overnight bringing it to 350,000 requests in the last 24 hrs. Nothing like the other attack on the other site from last month, which had that rate every 15 minutes, but still a mystery why.
Interestingly there’s a blip of increased server load after each main burst (marked by me with red circles). The blue line is what Cloudflare’s standard and my custom rules block, which are mostly server groups from Singapore and China. Looking at just those two sections, I see similar attack patterns from servers in other parts of the world – Brazil, Mexico, USA, Canada – which are probably involved or co-opted in the attack and thus were not targeted by my blocking rules. Presumably when the attack ebbs off, there’s a delay in relaying the “you can stop now” directive to the other servers.
TXP Builders – finely-crafted code, design and txp
Offline
Re: Approaches against DDoS attacks?
Out of interest, what’s the user agent in the log?
Offline
Re: Approaches against DDoS attacks?
gaekwad wrote #343118:
Out of interest, what’s the user agent in the log?
I can only sample some, but they seem to vary. Here’s a smattering from consecutive queries, all from different IPs that belong to the ASN 150436 – BYTEPLUS-AS-AP Byteplus Pte. Ltd.:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Mozilla/5.0 (Macintosh; Intel Mac OS X 13_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/180.1
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:{version}.0) Gecko/20100101 Firefox/135.0
Mozilla/5.0 (Linux; Android 13; Pixel 7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Mobile Safari/537.36
Mozilla/5.0 (Macintosh; Intel Mac OS X 13_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/260.1Sampling further down, the top one seems most common.
TXP Builders – finely-crafted code, design and txp
Offline
Offline
Re: Approaches against DDoS attacks?
Hi Julian,
I don’t know what kind of access you have for your server but owasp crs can deter a lot of bad actors!
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Approaches against DDoS attacks?
colak wrote #343136:
Hi Julian,
I don’t know what kind of access you have for your server but owasp crs can deter a lot of bad actors!
Thanks, that was new to me. The host doesn’t provide that kind of access, but Cloudflare does apparently have this is as a configurable ruleset (docs) while also noting that the standard managed rules cover many of those aspects. That said, the WAF web application firewall is only available (as far as I can tell) on paid plans, which begin at 20$/month.
It wasn’t too difficult to use Cloudflare, and the protection it offers seems pretty effective. Cloudflare’s rules or caching have reduced the number of queries to 12.5% of what it would otherwise have to deal with. But it’s yet another big US corp that I would have preferred to avoid using.
That said, I think I still have a lot to learn. The previous attack intensity has ebbed significantly with 10% of traffic now blocked by the rules, but there has just been a 12 hour bout of ~130,000 requests served directly from Cloudflare’s cache that are only assets – css, js, images, svgs, feeds but no html pages at all – coming from servers all over the place but also including plentiful quantities of what could be bona-fide requests from Google. Cloudflare’s cache has prevented those queries reaching the host’s server without me having to take any further action, but I’ve no idea why there should be that intensity of activity:
Even what still gets through to the server – about 20k requests per day – is a higher than most of the sites I look after. The site in question is sizable and has numerous assets in many subdirectories but it is by no means a site with a large readership.
(If this is getting on people’s nerves, I can desist with further reporting. It’s not strictly Textpattern related)
TXP Builders – finely-crafted code, design and txp
Offline