0

Recently I've been experiencing lots of layer 7 ddos attacks to my website. Specifically an HTTP GET request flood on the index page. (~20k r/s), my server is at OVH, so it's not overloading the pipe, however is there a way using iptables I can detect IPs who're making excessive requests, and drop their connections to avoid overloading my web server ? Or is there a better solution to filter these packets all the same while not negatively affecting legitimate clients.

I'm using apache, on ubuntu 12.04.

Xavier Lucas
  • 13,095
  • 2
  • 44
  • 50
user3407675
  • 41
  • 1
  • 6

1 Answers1

1

Because HTTP is TCP and TCP requires bi-directional communication, the source addresses of the attacks are actually the attack sources.

Since the sources are known and not spoofed, you can rate-limit in iptables to greatly reduce the request volume per source.

If there are too many sources to get the load manageable that way, you will need to find something about the requests to be able to classify them as droppable, then have your web server drop them. Ideas:

  • Requests all for the same specific resource?
  • Irregular headers (are they not requesting compression? sending HTTP/1.0? sending no cookies when normal users would)
  • Same or predictable user agent?
Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • So could i filter by volume? Such as saying 1 IP is making like 100 requests for the same page per second? If so how would i do this? I'm not hugely experienced with IPTables. – user3407675 Mar 19 '15 at 22:28
  • Right - in iptables it's by *packets* and not *requests*, but yeah - something like [this](http://serverfault.com/questions/290724/limit-icmp-per-source-ip-with-iptables) is what you'll want, setting it up for TCP port 80 instead of ICMP. – Shane Madden Mar 19 '15 at 22:34
  • Are there any WAF, IPS, UTM solutions can identify HTTP/7 attack patterns eg drop if there are only GET and no POSTS - drop if there are too many 401 or 302 etc? – computinglife May 14 '21 at 08:32