Hammered by botnet; iptables can't keep up

Question

Fructis is a multi-site (and multi-software) VM (Xen) with 2 cores and like 6G of RAM.

It hosts popular Drupal and Wordpress websites and is currently getting hammered. I will put all details below.

1. I've been blocking IPs but there appears to be a VERY aggressive bot network and mostly changes IPs faster than I can block them

2. I've updated Drupal but all the Wordpress sites aren't necessarily managed by me.

3. I've enabled logs for TS but they don't seem to be helping

4. Perhaps the answer is understanding what kinds of bot attacks are common lately/now? To that end, http://www.webmasterworld.com/home.htm may have helpful information

Details:

root@fructis:/home/nrogara# w
09:28:05 up 10 days,  1:55,  2 users,  load average: 31.10, 30.61, 32.31
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
nrogara  pts/0    c-24-7-67-188.hs Wed13    1:01m  0.18s  0.00s sshd:
nrogara [priv]
nrogara  pts/1    142-254-1-80.dsl 09:00    5.00s  0.06s  0.01s sshd:
nrogara [priv]

root@fructis:/home/nrogara# !net
netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 |
sort | uniq -c | sort -nr | head
     12 72.37.249.84
     12 162.243.193.98
      7 91.207.5.157
      7 74.73.126.40
      4 184.73.22.102
      3 94.102.49.35
      3 199.255.208.91
      3 195.211.154.155
      3 174.21.231.10
      3 108.62.154.15

(again 2 minutes later)

root@fructis:/home/nrogara# netstat -tn 2>/dev/null | grep :80 | awk
'{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
     10 95.26.128.85
      6 67.170.85.225
      5 195.2.240.106
      4 24.7.67.188
      4 216.246.184.159
      3 206.51.125.66
      2 91.122.6.86
      2 79.143.187.214
      2 72.46.156.116
      2 50.115.172.177

Answer 1

You obviously can't keep up with this sort of attacker by hand. If they have that many IP addresses, this won't work.

Have you analyzed what the bots are doing? Are they trying to send spam? Scraping your web content? Trying for a DDoS?

A while back I developed a tool to handle cases not unlike this at the application level. Bad Behavior analyzes the metadata in HTTP requests to determine if a request is likely to be a spammer or other attacker, and blocks the request with an early 403 error before it ties up any resources executing your web application. It's available as a WordPress plugin and also as a Drupal module.

Bad Behavior will almost certainly be a significant help if the bots are trying to send spam, scraping your site, probing for security vunerabilities or attempting to brute force logins. If they're just doing a plain old DDoS, it probably won't help as much.

Another thing you can do is to make sure you are caching appropriately. For instance, Boost for Drupal and W3 Total Cache for WordPress. This will help somewhat, but if the bots are crawling your site, they will spend much of their time fetching uncached content, so it won't help as much in that case. It also won't help that much if the bots are primarily posting data, e.g. attempting to post spam.

You should also, if possible, temporarily increase your CPU and RAM allocations for the virtual machine, to help relieve some pressure. This may require you to stop and restart the virtual machine, but at this point that's a minor issue.

I've also on occasion written custom fail2ban regexes for specific bots which were doing particular abusive things, such as repeatedly attempting to register user accounts on Drupal. If your analysis of the server logs indicates that something very specific like that is going on, you may also be able to do something like this.