Mitigate HTTP FLOOD

5 posts / 0 new
Last post
#1 Sun, 10/18/2015 - 13:42
silenx

Mitigate HTTP FLOOD

Hello .. i received some kind of L7 attack ( http flood ) .. i use fail2ban for other services ( ex: ssh, ftp ).
Does anyone have some suggestion to mitigate httpd flood?

Here an example of what i received:
xxx.xxx.xxx.xxx - - [18/Oct/2015:20:07:21 +0200] "GET / HTTP/1.1" 200 36920 "-" "-"
xxx.xxx.xxx.xxx - - [18/Oct/2015:20:07:15 +0200] "GET / HTTP/1.0" 200 36064 "-" "-"
xxx.xxx.xxx.xxx - - [18/Oct/2015:20:07:57 +0200] "GET / HTTP/1.1" 200 62471 "-" "-"
xxx.xxx.xxx.xxx - - [18/Oct/2015:20:07:58 +0200] "GET / HTTP/1.0" 200 62449 "-" "-"
xxx.xxx.xxx.xxx - - [18/Oct/2015:20:07:58 +0200] "GET / HTTP/1.1" 200 62471 "-" "-"
xxx.xxx.xxx.xxx - - [18/Oct/2015:20:07:58 +0200] "GET / HTTP/1.1" 200 62471 "-" "-"
xxx.xxx.xxx.xxx - - [18/Oct/2015:20:07:59 +0200] "GET / HTTP/1.0" 200 62449 "-" "-"
xxx.xxx.xxx.xxx - - [18/Oct/2015:20:07:59 +0200] "GET / HTTP/1.1" 200 62471 "-" "-"
xxx.xxx.xxx.xxx - - [18/Oct/2015:20:08:01 +0200] "GET / HTTP/1.1" 200 62471 "-" "-"

After they become http status 500 .. all service hang .. need to restart webmin,apache,mysql etcetc

Sun, 10/18/2015 - 21:25
Diabolico
Diabolico's picture

Since you are using fail2ban try this:

Create "/etc/fail2ban/filter.d/nomoreflood.conf":
[INCLUDES]
before = apache-common.conf (or common.conf depending on f2b version)

[Definition]
failregex = .*\(\s*\)\s*\{[^"]*\}\s*\;[^"]+

ignoreregex =

then in "/etc/fail2ban/jail.local" (or jail.conf):
[nomoreflood]

enabled = true
port = http,https
filter = nomoreflood
action = iptables [name=nomoreflood, port=http, protocol=http]
logpath = /path/to/your/apache/log/file
maxretry = 100
findtime = 5
bantime = 86400

This means that f2b will ban all IP's who made 100 request (maxretry) in 5 seconds (findtime) for 24 hours (bantime). You can play with maxretry and findtime to set how is best for you but watch out to not ban legitimate visitors. You could lover the ban time to something smaller like 1 hour but i will leave this to you.

Dont forget to restart f2b and free to rename "nomoreflood" to whatever you want.

After you restart fail2ban check the log files (f2b, apache) and see if everything is working. Just to know people who share same IP like public wi-fi could trigger f2b.

-------------------
WHITELIST YOUR IP ADDRESS in "/etc/fail2ban/jail.local" (pay attention to empty space between each IP):
ignoreip = 127.0.0.1/8 xxx.xxx.xxx.xxx
-------------------
Just to be sure you will not ban yourself during testing or whatever else especially if you keep 24h ban time.

During testing it would be good to set bantime to something smaller like 3 to 5 min (180 - 300) so if you start banning legitimate visitors by mistake it will expire in short time.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Mon, 10/19/2015 - 03:41
silenx

Thank you.
I implemented this for GET and POST.

a filter named post-get-ddos.conf

[Definition]
failregex = ^ -.*\"(GET|POST).*
ignoreregex =

and the jail
[post-get-ddos]
enabled = true
port = http,https
filter = post-get-ddos
logpath = /var/log/virtualmin/*access_log
maxretry = 500
findtime = 120
bantime = 600
action = iptables[name=HTTP, port=80, protocol=tcp]

ignoreip = 127.0.0.1/8 is in the default

Do you think is ok?
Thank for support

Mon, 10/19/2015 - 05:00
Diabolico
Diabolico's picture

Find time is too big, 120 = 2 minutes and in case of flood you would get hundreds of request per second. I would lower that to 30 (and lower) and then play with maxretry. Just to know with that rule all POST and GET will be counted regardless if the source is legitimate or not. Keep this in mind when setting findtime and maxretry.

This is another rule similar to your and maybe worth to test:
failregex = ^ -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$

Ignoreip and the rest i explained in my first post and you should add your ip to that line, at least until you are sure everything works (or you know what are you doing).

Check the f2b and apache logs and see if everything works.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Mon, 10/19/2015 - 07:53
silenx

Thank you, i will try with maxtime and lowering findtime.

Flood request was xxx.xxx.xxx.xxx - - [18/Oct/2015:20:07:21 +0200] "GET / HTTP/1.1" 200 36920 "-" "-"
without useragent etc .

Topic locked