Who can stop a attack to htpp server (i have access_log) - Apache

HermenegildoGonzalez
August 29, 2021
128 views
1 vote
2 Answers

Im under a DDOS attack that target http server, i try iptables and other measures but nothing seems to work. Here is part of access_log:

109.237.214.239 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?s33817297772r250884742883f92322299438598195591257069r HTTP/1.1" 301 295 "https://www.google.al/search?q=www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 63.0; PPC; .NET CLR; Trident/59.0)"
109.237.214.239 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?S186879189386g204278779975PY70402618351E157376382842A HTTP/1.1" 301 295 "https://www.google.al/search?q=www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 63.0; PPC; .NET CLR; Trident/59.0)"
109.237.214.239 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?y207943003016G2201421978843y132569157668N229970834500m HTTP/1.1" 301 296 "https://www.google.al/search?q=www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 63.0; PPC; .NET CLR; Trident/59.0)"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?b1033848070268158095038946yn101405159479e96245591002w HTTP/1.1" 301 295 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?M85480749584j74977563880Bp271099760912E80495871087c HTTP/1.1" 301 293 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?K261824748023B182524110184Mt46360453528p228247814734E HTTP/1.1" 301 295 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?&50760905483F94530953757MH95149280799F28458563126c HTTP/1.1" 301 296 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?m83429146801D1533461437480c208093700180V180002903550H HTTP/1.1" 301 295 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?P1727505211805124392251694ZS206387942906e76306212493l HTTP/1.1" 301 295 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?s82784850221466220627931B8265218767325u113518367783x HTTP/1.1" 301 294 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?K97179287541E15893924445o473499030528t59224747203k HTTP/1.1" 301 292 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?691410513245I79181565805v321581391791I3884604423a HTTP/1.1" 301 291 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?4198191451769p239541509341wD1896383510214269262196413B HTTP/1.1" 301 296 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?0167987625540e1215937323710g101215724494A213839718620L HTTP/1.1" 301 296 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?y237976285203O824680059186L173830871904649378747328V HTTP/1.1" 301 294 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?K42314044586u952381668331e251035250697O263368559864R HTTP/1.1" 301 294 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?W260478902972O197983066242Od227056128977972874469796c HTTP/1.1" 301 295 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
109.237.214.239 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?C86022852440R148387484456Qt34424023534x220799972703a HTTP/1.1" 301 294 "https://www.google.am/search?q=www.atlantis-ro.com/foro" "Mozilla/5.0 (Linux i686; rv:41.0) Gecko/20210225 Firefox/41.0"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?y10719190794Q164454427002Qt139054158801Y18152466163j HTTP/1.1" 301 294 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
109.237.214.239 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?628104924938X479183041068A70898658121975789012844A HTTP/1.1" 301 292 "https://www.google.am/search?q=www.atlantis-ro.com/foro" "Mozilla/5.0 (Linux i686; rv:41.0) Gecko/20210225 Firefox/41.0"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?h115701382502x41495646454bT194441737893m159101109396A HTTP/1.1" 301 295 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?L2432768823104700431176088221405119525F24472573434j HTTP/1.1" 301 293 "https://vk.com/profile.php?redirect=www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/17.0)"
109.237.214.239 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?2199605088692B15592269563&l120478638807&165924411747e HTTP/1.1" 301 303 "https://www.google.am/search?q=www.atlantis-ro.com/foro" "Mozilla/5.0 (Linux i686; rv:41.0) Gecko/20210225 Firefox/41.0"
185.107.82.164 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?J184077108586f120115370828S2164708750642f143781167355V HTTP/1.1" 301 296 "https://www.google.com.ag/search?q=www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 24.0; Intel Mac OS X; Trident/49.0)"
185.107.82.164 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?n84679349071E42182548fj47445327961283707666397o HTTP/1.1" 301 289 "https://www.google.com.ag/search?q=www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 24.0; Intel Mac OS X; Trident/49.0)"
185.107.82.164 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?Q75728286248285907682240JK152517240570g12127749859k HTTP/1.1" 301 293 "https://www.google.com.ag/search?q=www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 24.0; Intel Mac OS X; Trident/49.0)"
185.107.82.164 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?c42502081472&371774402042o262146662149Y146388175936P HTTP/1.1" 301 298 "https://www.google.com.ag/search?q=www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 24.0; Intel Mac OS X; Trident/49.0)"

Seems a lot of connections but iptables won’t stop the attack, ther is my iptables rules:

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 147.135.37.113 -j ACCEPT

iptables -A INPUT -f -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

iptables -N LOG_AND_DROP

iptables -N PORT21
iptables -A PORT21 -m recent --set --name lp21
iptables -A PORT21 -m recent --update --seconds 30 --hitcount 3 --name lp21 -j DROP
iptables -A PORT21 -m recent --update --seconds 300 --hitcount 10 --name lp21 -j LOG_AND_DROP

iptables -N PORT22
iptables -A PORT22 -m recent --set --name lp22
iptables -A PORT22 -m recent --update --seconds 30 --hitcount 3 --name lp22 -j DROP
iptables -A PORT22 -m recent --update --seconds 300 --hitcount 10 --name lp22 -j LOG_AND_DROP

iptables -N PORT80
iptables -A PORT80 -m recent --set --name lp80
iptables -A PORT80 -m recent --update --seconds 30 --hitcount 20 --name lp80 -j LOG_AND_DROP

iptables -N PORT443
iptables -A PORT443 -m recent --set --name lp433
iptables -A PORT443 -m recent --update --seconds 30 --hitcount 20 --name lp443 -j LOG_AND_DROP

iptables -N PORT10000
iptables -A PORT10000 -m recent --set --name lp10000
iptables -A PORT10000 -m recent --update --seconds 30 --hitcount 20 --name lp10000 -j LOG_AND_DROP

iptables -N PORT6900
iptables -A PORT6900 -m recent --set --name lp6900
iptables -A PORT6900 -m recent --update --seconds 30 --hitcount 10 --name lp6900 -j LOG_AND_DROP
iptables -A PORT6900 -m recent --update --seconds 50 --hitcount 20 --name lp6900 -j LOG_AND_DROP

iptables -N PORT6121
iptables -A PORT6121 -m recent --set --name lp6121
iptables -A PORT6121 -m recent --update --seconds 30 --hitcount 10 --name lp6121 -j LOG_AND_DROP
iptables -A PORT6121 -m recent --update --seconds 50 --hitcount 20 --name lp6121 -j LOG_AND_DROP

iptables -N PORT5121
iptables -A PORT5121 -m recent --set --name lp5121
iptables -A PORT5121 -m recent --update --seconds 30 --hitcount 10 --name lp5121 -j LOG_AND_DROP
iptables -A PORT5121 -m recent --update --seconds 50 --hitcount 20 --name lp5121 -j LOG_AND_DROP

iptables -A INPUT -p icmp --icmp-type echo-request -m hashlimit --hashlimit-name pings --hashlimit-mode srcip --hashlimit 10/min --hashlimit-burst 10 --hashlimit-htable-expire 30000 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5/min -j LOG --log-prefix "[Pings]"
iptables -A INPUT -p icmp -j DROP

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j PORT21
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j PORT22
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j PORT80
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j PORT443
iptables -A INPUT -p tcp --dport 10000 -m state --state NEW -j PORT10000

iptables -A INPUT -p tcp --dport 6900 -m state --state NEW -j PORT6900
iptables -A INPUT -p tcp --dport 6121 -m state --state NEW -j PORT6121
iptables -A INPUT -p tcp --dport 5121 -m state --state NEW -j PORT5121

iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -p tcp --dport 80 -m hashlimit --hashlimit-name p80 --hashlimit-mode srcip --hashlimit 50/min --hashlimit-burst 100 --hashlimit-htable-expire 10000 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m hashlimit --hashlimit-name p443 --hashlimit-mode srcip --hashlimit 50/min --hashlimit-burst 100 --hashlimit-htable-expire 10000 -j ACCEPT
iptables -A INPUT -p tcp --dport 10000 -m hashlimit --hashlimit-name p10000 --hashlimit-mode srcip --hashlimit 50/min --hashlimit-burst 100 --hashlimit-htable-expire 10000 -j ACCEPT

iptables -A INPUT -p tcp --dport 6900 -j ACCEPT
iptables -A INPUT -p tcp --dport 6121 -j ACCEPT
iptables -A INPUT -p tcp --dport 5121 -j ACCEPT

iptables -A LOG_AND_DROP -m limit --limit 10/min -j LOG --log-prefix "[Log]"
iptables -A LOG_AND_DROP -j DROP

#iptables -A INPUT -m limit --limit 10/min -j LOG --log-prefix "[Default]"
iptables -A INPUT -d 147.135.37.113 -j DROP

I try everything but i can stop this attack that make the http server consume all CPU resources. Any advice will be welcomed.

Answers

Chosen as BEST ANSWER

The problem solved with this simple iptables (maybe the other rules were too messy)

iptables -A INPUT -i eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eno1 -m state --state INVALID -j DROP
iptables -A INPUT -i eno1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -i eno1 -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT
iptables -A INPUT -i eno1 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -i eno1 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
iptables -A INPUT -i eno1 -p icmp -j ACCEPT
iptables -A INPUT -i eno1 -j DROP

The attacks keep coming but don't colapse the server.