Who can stop a attack to htpp server (i have access_log)

Question

Im under a DDOS attack that target http server, i try iptables and other measures but nothing seems to work. Here is part of access_log:

109.237.214.239 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?s33817297772r250884742883f92322299438598195591257069r HTTP/1.1" 301 295 "https://www.google.al/search?q=www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 63.0; PPC; .NET CLR; Trident/59.0)"
109.237.214.239 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?S186879189386g204278779975PY70402618351E157376382842A HTTP/1.1" 301 295 "https://www.google.al/search?q=www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 63.0; PPC; .NET CLR; Trident/59.0)"
109.237.214.239 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?y207943003016G2201421978843y132569157668N229970834500m HTTP/1.1" 301 296 "https://www.google.al/search?q=www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 63.0; PPC; .NET CLR; Trident/59.0)"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?b1033848070268158095038946yn101405159479e96245591002w HTTP/1.1" 301 295 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?M85480749584j74977563880Bp271099760912E80495871087c HTTP/1.1" 301 293 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?K261824748023B182524110184Mt46360453528p228247814734E HTTP/1.1" 301 295 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?&50760905483F94530953757MH95149280799F28458563126c HTTP/1.1" 301 296 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?m83429146801D1533461437480c208093700180V180002903550H HTTP/1.1" 301 295 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?P1727505211805124392251694ZS206387942906e76306212493l HTTP/1.1" 301 295 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?s82784850221466220627931B8265218767325u113518367783x HTTP/1.1" 301 294 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?K97179287541E15893924445o473499030528t59224747203k HTTP/1.1" 301 292 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?691410513245I79181565805v321581391791I3884604423a HTTP/1.1" 301 291 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?4198191451769p239541509341wD1896383510214269262196413B HTTP/1.1" 301 296 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?0167987625540e1215937323710g101215724494A213839718620L HTTP/1.1" 301 296 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?y237976285203O824680059186L173830871904649378747328V HTTP/1.1" 301 294 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?K42314044586u952381668331e251035250697O263368559864R HTTP/1.1" 301 294 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?W260478902972O197983066242Od227056128977972874469796c HTTP/1.1" 301 295 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
109.237.214.239 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?C86022852440R148387484456Qt34424023534x220799972703a HTTP/1.1" 301 294 "https://www.google.am/search?q=www.atlantis-ro.com/foro" "Mozilla/5.0 (Linux i686; rv:41.0) Gecko/20210225 Firefox/41.0"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?y10719190794Q164454427002Qt139054158801Y18152466163j HTTP/1.1" 301 294 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
109.237.214.239 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?628104924938X479183041068A70898658121975789012844A HTTP/1.1" 301 292 "https://www.google.am/search?q=www.atlantis-ro.com/foro" "Mozilla/5.0 (Linux i686; rv:41.0) Gecko/20210225 Firefox/41.0"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?h115701382502x41495646454bT194441737893m159101109396A HTTP/1.1" 301 295 "https://www.youtube.com/www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 16.0; Win3.11; Trident/10.0)"
51.116.183.98 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?L2432768823104700431176088221405119525F24472573434j HTTP/1.1" 301 293 "https://vk.com/profile.php?redirect=www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/17.0)"
109.237.214.239 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?2199605088692B15592269563&l120478638807&165924411747e HTTP/1.1" 301 303 "https://www.google.am/search?q=www.atlantis-ro.com/foro" "Mozilla/5.0 (Linux i686; rv:41.0) Gecko/20210225 Firefox/41.0"
185.107.82.164 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?J184077108586f120115370828S2164708750642f143781167355V HTTP/1.1" 301 296 "https://www.google.com.ag/search?q=www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 24.0; Intel Mac OS X; Trident/49.0)"
185.107.82.164 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?n84679349071E42182548fj47445327961283707666397o HTTP/1.1" 301 289 "https://www.google.com.ag/search?q=www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 24.0; Intel Mac OS X; Trident/49.0)"
185.107.82.164 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?Q75728286248285907682240JK152517240570g12127749859k HTTP/1.1" 301 293 "https://www.google.com.ag/search?q=www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 24.0; Intel Mac OS X; Trident/49.0)"
185.107.82.164 - - [29/Aug/2021:17:39:37 +0000] "GET /foro?c42502081472&371774402042o262146662149Y146388175936P HTTP/1.1" 301 298 "https://www.google.com.ag/search?q=www.atlantis-ro.com/foro" "Mozilla/5.0 (compatible; MSIE 24.0; Intel Mac OS X; Trident/49.0)"

Seems a lot of connections but iptables won't stop the attack, ther is my iptables rules:

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 147.135.37.113 -j ACCEPT

iptables -A INPUT -f -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

iptables -N LOG_AND_DROP

iptables -N PORT21
iptables -A PORT21 -m recent --set --name lp21
iptables -A PORT21 -m recent --update --seconds 30 --hitcount 3 --name lp21 -j DROP
iptables -A PORT21 -m recent --update --seconds 300 --hitcount 10 --name lp21 -j LOG_AND_DROP

iptables -N PORT22
iptables -A PORT22 -m recent --set --name lp22
iptables -A PORT22 -m recent --update --seconds 30 --hitcount 3 --name lp22 -j DROP
iptables -A PORT22 -m recent --update --seconds 300 --hitcount 10 --name lp22 -j LOG_AND_DROP

iptables -N PORT80
iptables -A PORT80 -m recent --set --name lp80
iptables -A PORT80 -m recent --update --seconds 30 --hitcount 20 --name lp80 -j LOG_AND_DROP

iptables -N PORT443
iptables -A PORT443 -m recent --set --name lp433
iptables -A PORT443 -m recent --update --seconds 30 --hitcount 20 --name lp443 -j LOG_AND_DROP

iptables -N PORT10000
iptables -A PORT10000 -m recent --set --name lp10000
iptables -A PORT10000 -m recent --update --seconds 30 --hitcount 20 --name lp10000 -j LOG_AND_DROP

iptables -N PORT6900
iptables -A PORT6900 -m recent --set --name lp6900
iptables -A PORT6900 -m recent --update --seconds 30 --hitcount 10 --name lp6900 -j LOG_AND_DROP
iptables -A PORT6900 -m recent --update --seconds 50 --hitcount 20 --name lp6900 -j LOG_AND_DROP

iptables -N PORT6121
iptables -A PORT6121 -m recent --set --name lp6121
iptables -A PORT6121 -m recent --update --seconds 30 --hitcount 10 --name lp6121 -j LOG_AND_DROP
iptables -A PORT6121 -m recent --update --seconds 50 --hitcount 20 --name lp6121 -j LOG_AND_DROP

iptables -N PORT5121
iptables -A PORT5121 -m recent --set --name lp5121
iptables -A PORT5121 -m recent --update --seconds 30 --hitcount 10 --name lp5121 -j LOG_AND_DROP
iptables -A PORT5121 -m recent --update --seconds 50 --hitcount 20 --name lp5121 -j LOG_AND_DROP

iptables -A INPUT -p icmp --icmp-type echo-request -m hashlimit --hashlimit-name pings --hashlimit-mode srcip --hashlimit 10/min --hashlimit-burst 10 --hashlimit-htable-expire 30000 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5/min -j LOG --log-prefix "[Pings]"
iptables -A INPUT -p icmp -j DROP

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j PORT21
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j PORT22
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j PORT80
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j PORT443
iptables -A INPUT -p tcp --dport 10000 -m state --state NEW -j PORT10000

iptables -A INPUT -p tcp --dport 6900 -m state --state NEW -j PORT6900
iptables -A INPUT -p tcp --dport 6121 -m state --state NEW -j PORT6121
iptables -A INPUT -p tcp --dport 5121 -m state --state NEW -j PORT5121

iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -p tcp --dport 80 -m hashlimit --hashlimit-name p80 --hashlimit-mode srcip --hashlimit 50/min --hashlimit-burst 100 --hashlimit-htable-expire 10000 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m hashlimit --hashlimit-name p443 --hashlimit-mode srcip --hashlimit 50/min --hashlimit-burst 100 --hashlimit-htable-expire 10000 -j ACCEPT
iptables -A INPUT -p tcp --dport 10000 -m hashlimit --hashlimit-name p10000 --hashlimit-mode srcip --hashlimit 50/min --hashlimit-burst 100 --hashlimit-htable-expire 10000 -j ACCEPT

iptables -A INPUT -p tcp --dport 6900 -j ACCEPT
iptables -A INPUT -p tcp --dport 6121 -j ACCEPT
iptables -A INPUT -p tcp --dport 5121 -j ACCEPT

iptables -A LOG_AND_DROP -m limit --limit 10/min -j LOG --log-prefix "[Log]"
iptables -A LOG_AND_DROP -j DROP

#iptables -A INPUT -m limit --limit 10/min -j LOG --log-prefix "[Default]"
iptables -A INPUT -d 147.135.37.113 -j DROP

I try everything but i can stop this attack that make the http server consume all CPU resources. Any advice will be welcomed.

score 0 · Answer 1 · answered Sep 02 '21 at 14:31

The problem solved with this simple iptables (maybe the other rules were too messy)

iptables -A INPUT -i eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eno1 -m state --state INVALID -j DROP
iptables -A INPUT -i eno1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -i eno1 -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT
iptables -A INPUT -i eno1 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -i eno1 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
iptables -A INPUT -i eno1 -p icmp -j ACCEPT
iptables -A INPUT -i eno1 -j DROP

The attacks keep coming but don't colapse the server.

score -1 · Answer 2 · answered Aug 29 '21 at 19:26

-1

sudo apt install ufw

sudo ufw deny from 51.116.183.98 to any

answered Aug 29 '21 at 19:26

mister_cool_beans

1,441
1
8
19

Who can stop a attack to htpp server (i have access_log)

2 Answers2