4

Over the last few days I have noticed that my Wordpress website had been running quite slowly, so I decided to investigate. After checking my database I saw that a table which was responsible for tracking 404 errors was over 1GB is size. At this point it was evident I was being targeted by bots.

After checking my access log I could see that there was a pattern of sorts, the bot seemed to land on a legitimate page which listed my categories and then move into a category page and at this point they request seemingly random page numbers, many of which are non-existent pages causing the issue.

Example:

/watch-online/ - Landing Page
/category/evolution/page/7 - 404
/category/evolution/page/1
/category/evolution/page/3
/category/evolution/page/5 - 404
/category/evolution/page/8 - 404
/category/evolution/page/4 - 404
/category/evolution/page/2
/category/evolution/page/6 - 404
/category/evolution/page/9 - 404
/category/evolution/page/10 - 404

This is the actual order of requests and they all happen within a second, at this point the IP becomes blocked as too many 404's have been thrown but this seems to have no affect due to the sheer number of bots all doing the same thing.

Also the category changes with each bot so they are all attacking random categories and generating 404 pages.

At the moment there are 2037 unique ip's which have thrown similar 404s in the last 24 hours.

I also use Cloudflare and have manually blocked many ip's from ever reaching my box but this attack is relentless and it seems as though they keep generating new ip's. Here is a list of some offending ip's:

77.101.138.202
81.149.196.188
109.255.127.90
75.19.16.214
47.187.231.144
70.190.53.222
62.251.17.234
184.155.42.206
74.138.227.150
98.184.129.57
151.224.41.144
94.29.229.186
64.231.243.218
109.160.110.135
222.127.118.145
92.22.14.143
92.14.176.174
50.48.216.145
58.179.196.182

Other than automatically blocking ip's for too many 404 errors I can think of no other real solution and this in itself is quite ineffective due to the sheer number of ip's.

Any suggestions on how to deal with this would be greatly appreciated as there appears to be no end to this attack and my websites performance really is taking a hit.

Some User Agents Include:

Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36 
Mozilla/5.0 (Windows NT 6.2; rv:26.0) Gecko/20100101 Firefox/26.0 
Mozilla/5.0 (compatible; MSIE
10.0; Windows NT 7.0; WOW64; Trident/6.0) 
Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:22.0) Gecko/20100101 
Firefox/22.0 Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
user1356029
  • 381
  • 1
  • 5
  • 14
  • Hope [this](https://stackoverflow.com/questions/14477942/how-to-enable-ddos-protection) other thread helps you – Foo Bar May 25 '17 at 08:58
  • 1
    You need to disable xml-rpc, I had the same issue. – zakaria amine May 25 '17 at 13:56
  • @zakariaamine Hmm I disabled it via htaccess and the functions.php file and I am still being bombarded. :( – user1356029 May 25 '17 at 14:45
  • it seems like this why he is receiving 404 status. In this case, I suggest using the firewall, and blacklisting the ip's – zakaria amine May 25 '17 at 14:52
  • Yeah I have been manually added ip's like crazy the last couple of days with no result as there are so many so I am currently looking into apache modules such as "mod_evasive" – user1356029 May 25 '17 at 15:02

2 Answers2

0

If its your personal website, you can try checking cloudflare, which is free and also it can provide support against any ddos attacks.May be you can give a try.

sudharsan tk
  • 494
  • 6
  • 14
  • Thanks for the suggestion but I currently already use Cloudflare and it isn't really helping in this particular case. – user1356029 May 25 '17 at 09:26
0

Okay so after much searching, experimentation and head banging I have finally mitigated the attack.

The solution was to install the apache module 'mod_evasive' see:

https://www.digitalocean.com/community/tutorials/how-to-protect-against-dos-and-ddos-with-mod_evasive-for-apache-on-centos-7

So for any other poor soul that gets slammed as severally as I did have a look at that and get your thresholds finely tuned. This is a simple, cheap and very effective means of drastically downplaying any attack similar to the one I suffered.

My server is still getting bombarded by bots but this really does limit their damage.

user1356029
  • 381
  • 1
  • 5
  • 14