0

How can I stop a client that's running a multirequest script on my server that reconnects and continues no matter what, without affecting the other people/clients that are connected to my server from the same ip as the attacker?

The port is different for each connection so I can't use that

Arre
  • 3
  • 1

4 Answers4

2

You can't do that at the TCP/IP level. As you correctly guessed, a firewall only cares about IP addresses and ports, it knows nothing about what a process is doing or who is running it on the client system.

You need to use some other system in order to analyze traffic at the application level and block unwanted requests.

Which system? It depends heavily on the application. You didn't even mention what kind of service you're talking about.

Massimo
  • 70,200
  • 57
  • 200
  • 323
  • If the application requires users to be logged in, I will find out which account is causing the problem, but it will not help, requests can continue to come, the system will still be under pressure. So I can't see any other solution but to temporarily blacklist the ip address until everything is under control again, which affects the other legitimate users on the same ip as the attacker. I hope there is a better solution than this. – Arre Jun 10 '20 at 13:22
  • Writing a webserver on Windows. – Arre Jun 10 '20 at 13:35
  • You could put a firewall or reverse proxy with IDS/IDP capabilities in front of it; but those things are often complex and costly. Also, depending on the specific attack, even they might not be able to help at all. – Massimo Jun 10 '20 at 14:13
  • But anyway, you can't do what you want at the TCP/IP level; you can only allow or block traffic based on the origin and destination addresses and ports. – Massimo Jun 10 '20 at 14:14
  • 1
    @Arre Block that IP address and make the issue of determining who is doing the poor behaviour the problem of the company behind that IP. When I was working at Stack Overflow this happened multiple times. Someone misbehaves, the IP gets on a block list. We get an email saying "Hey our IP is blocked!" We replied asking them to find out who was being bad and to stop it, and we'll unblock. It shifts the burden of solving the issue onto them, not you, as it should be. – Mark Henderson Jun 10 '20 at 23:31
  • If I am under attack and know that the IP address is correct, I can immediately drop the connections.But, if the attack is a SYN wave? (No ACK is received) Which is a great indication that the IP address is someone else's. Do you think I should drop the connections immediately? Or have another rule for these, where they are dropped after 1-2 seconds instead, if no ACK? I don't know how much difference it really makes to drop immediately or wait a second for ACK. If it's not a big deal then it might be worth it to increase the tolerance when it comes to the wrong/spoofed addresses. – Arre Jun 11 '20 at 09:58
1

As Massimo correctly mentioned it cannot be carried out only at TCP level. If you are running your own web server blacklisting the IP definitely is an immediate prevention if the attack it targeted towards your system from an specific IP.

But does it originate always from the same IP and takes certain time? If yes, sounds like an DoS (coming from a single source, standard attack) / DDoS attack (from multiple sources)..you know hackers definitely use IP spoofing to invoke the attack against the targeted device. While IP spoofing can’t be prevented, measures can be taken to stop spoofed packets from infiltrating a network.

WAF (web app firewall) acts as well like reverse proxy (when putting it between Internet and origin server) and can mitigate a layer DDoS attack. Network based WAF is more costly than the host-based WAF which can be integrated into app’s software. You can better opt for cloud-based WAF which is the most affordable from already mentioned options.

Nora Kacenova
  • 53
  • 6
0

If the attacker is arriving at your system from the same IP address as legitimate users then she is abusing the system which owns that address. In that case your best bet is to identify and block her on that system. If that system is not under your control, you can motivate its owner to help you by blacklisting or ratelimiting the IP address until the problem is addressed.

Tilman Schmidt
  • 4,101
  • 12
  • 27
0

If this is an IP address that is not necessarily belongs to one of your customer, then check the WHOIS info for the IP. You can use

https://viewdns.info/whois/

Look for the word "abuse" for the abuse contact email. Send an email to them with relevant logs. Usually, they open a ticket for you and notify their customers to stop the abusive behavior and then ask you report back after a certain time if they don't cease. After a few cycle, they can help get rid of the problem

If this IP belongs to a certain client, work with them with relevant IP logs and request them identify the trouble user.

K4M
  • 101
  • 1