1

My nginx instance is getting hammered every couple of days by some bad bot using random query parameter values.

/var/log/nginx/access.log:209.107.204.224 - - [14/Mar/2023:16:01:42 +0100] "GET /?ttrp353217=ttrp540516 HTTP/1.1" 501 560 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36"

When it hits, it quickly causes resource starvation, and eventually HTTP 501/504 for regular customers.

The ttrp query param name/value always contains a random number.

Is this some well-known bot?

Is there a way to configure nginx to block requests containing specific query param regex? AFAIK, I can block the request if the query param exists, not if query param starting with prefix exists...

I blocked the address for the time being, but that one is likely to change.

Jovan Perovic
  • 143
  • 2
  • 3
  • 14

2 Answers2

1

Use fail2ban that parses logs and blocks matching addresses for the set period.

The other option is to use Cloudflare, which does this, and much more, automatically, for free.

I’d say hosting anything publicly without Cloudflare is a bad idea in 2023.

Disclaimer: no, I’m not affiliated with, or endorsed by CF. But I’ve been using their services for free for years, and my server has never been brought down, ever.

bviktor
  • 900
  • 6
  • 12
1

What you need is a WAF (Web Application Firewall). Cloudflare is a solution as mentioned by previous answers. But I personally use Naxsi to prevent these attacks.

You can integrate Naxsi with Fail2Ban and UFW to block bad IPs automatically.

Naxsi can be installed as a dynamic module for nginx.

Sandakelum Kumara
  • 63
  • 3