Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Wordpress VPS load issue due to attacks - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Wordpress VPS load issue due to attacks

2

Comments

  • simple solution, don't use wordpress

    Thanked by 1tux
  • @pedagang said:
    simple solution, don't use wordpress

    Simple and effective solution :D

    Thanked by 2pedagang tux
  • TinkuTinku Member

    And i guess that attacking kick is back WTH not able to connect to my VPS to see whats going on. Reboot isn't helping and ping timeout no matter how quickly i try to connect to VPS after the reboot.

  • TinkuTinku Member

    So i tried to connect to my VPS through the VNS in panel and all i am seeing is this i don't know whats going on looks like flood?

    Screenshot

  • blackblack Member

    Looks like a SYN flood. Maybe it's a good idea to pick up a DDoS protected host and GRE tunnel your site traffic. Maybe try https://athenalayer.com/pricing.html free tier? I hear some people use them and they've been good but I haven't tried it myself. You should also ask your VPS host for an IP change once you put your website behind a reverse proxy / GRE tunnel.

  • TinkuTinku Member

    @black said:
    Looks like a SYN flood. Maybe it's a good idea to pick up a DDoS protected host and GRE tunnel your site traffic. Maybe try https://athenalayer.com/pricing.html free tier? I hear some people use them and they've been good but I haven't tried it myself. You should also ask your VPS host for an IP change once you put your website behind a reverse proxy / GRE tunnel.

    OVH don't stop syn flood? Is it possible to add extra filter for this through CSF? I will look at athenalayer thanks for providing the link.

  • blackblack Member

    OVH should but if it's still able to take down your services then you need to seek other solutions.

  • blackblack Member

    Wait... those source IPs are directly from cloudflare. You shouldn't block those SYN packets.

  • TinkuTinku Member

    @black said:
    Wait... those source IPs are directly from cloudflare. You shouldn't block those SYN packets.

    Yea i am using cloudflare+ovh+csf+cache but attackers are still having a regular fun day :(

  • blackblack Member

    If you block SYN packets from CF then legit users will not be able to use your service.

    It's better to see what real IP addresses are attacking your website and use CF's firewall to drop those IPs. You might have to contact CF directly or use CF_CONNECTING_IP in the HTTP headers to get that information.

  • FlamesRunnerFlamesRunner Member
    edited June 2016

    @black

    AthenaLayer?

    Ehhh, it's run by Nick Lim and he wasn't exactly the greatest person when it came to flashing his signature wherever he could.

    Thanked by 1inthecloudblog
  • blackblack Member

    FlamesRunner said: AthenaLayer?

    Ehhh, it's run by Nick Lim and he's not exactly the greatest person when it came to flashing his signature wherever he could.

    Ah ok. I never used his services so I'm not sure.

  • You need to block these requests at the firewall level. Have a look at your logs or just google the IP ranges that you should be blocking. If you are on CentOS, install csf. If you aren't on CentOS, you'll just need some iptables scripts in place to start blocking. It's less resource intensive to block at the iptables level. Also, when the script kiddies start seeing 5xx errors from their scripts, they'll stop hitting you. Good luck!

  • TinkuTinku Member
    edited June 2016

    ok guys i finally found one of his trick and fixed it!

    I installed a real time access log viewer to monitor traffic every second instead of opening big access log file every time and there i found these user agents attacking my site from hundred and thousands of different ip addresses.

    All those usera gents had one thing in common they were some kind of fake wordpress pingbacks from different ips so what i did is that i created a simple condition in my nginx conf file to detect these useragents and return them 403. My VPS load was touching 20-50 during the attack and as soon as i applied the condition and restarted nginx load came down to normal and now those bots are still attacking but getting 403 in return and no more load on the VPS.

    Now waiting for his next move!

  • TinkuTinku Member
    edited June 2016

    Using a php script to read access log for this attacks i came to know that in last 30 minutes i received around 10,000 ping requests to my site.

    What i don't understand is that i already blocked access to my xmlrpc file so how come the load was still creating when the page wasn't even accessible? The load only came down once i returned 403 for those requests.

  • @Tinku said:

    is a little synflood, install synproxy and you will be safe http://www.seflow.net/2/index.php/en/blog/synproxy-module-protect-yourself-by-syn-flood

  • @Tinku said:
    ok guys i finally found one of his trick and fixed it!

    I installed a real time access log viewer to monitor traffic every second instead of opening big access log file every time and there i found these user agents attacking my site from hundred and thousands of different ip addresses.

    All those usera gents had one thing in common they were some kind of fake wordpress pingbacks from different ips so what i did is that i created a simple condition in my nginx conf file to detect these useragents and return them 403. My VPS load was touching 20-50 during the attack and as soon as i applied the condition and restarted nginx load came down to normal and now those bots are still attacking but getting 403 in return and no more load on the VPS.

    Now waiting for his next move!

    Which log viewer ?

  • TinkuTinku Member

    @Junkless said:
    Which log viewer ?

    Pimp My Log
    pimpmylog.com

    It's really cool with features to read nginx access log, error log and php error log with features like every x seconds refresh.

    Thanked by 2Junkless sin
  • TinkuTinku Member

    @matteob said:

    @Tinku said:

    is a little synflood, install synproxy and you will be safe http://www.seflow.net/2/index.php/en/blog/synproxy-module-protect-yourself-by-syn-flood

    Is it going to work fine with Cloudflare? because cloudflare hides real ip of users.

  • @Tinku said:

    cloudflare should protect you if you have business plan. If you have free plans cloudflare is useless on tcp attacks, so you need to switch to a ddos protected provider or upgrade cf to business plan.

  • TinkuTinku Member

    @matteob said:

    @Tinku said:

    cloudflare should protect you if you have business plan. If you have free plans cloudflare is useless on tcp attacks, so you need to switch to a ddos protected provider or upgrade cf to business plan.

    I am using a ddos protected VPS and free cf protection in front of it. i have noticed cf don't work when you use medium or high security but when you select under attack mode than it works for some type of http attacks. So what you recommend should i stop using cf or is there any way to get user's real ip with free cf plan?

  • @Tinku said:
    I am using a ddos protected VPS

    have you tried contacting your provider? They can analyze your attack and put custom filters for your needs. If they will not help you search elsewhere someone that can support you better

  • TinkuTinku Member

    @matteob said:

    @Tinku said:
    I am using a ddos protected VPS

    have you tried contacting your provider? They can analyze your attack and put custom filters for your needs. If they will not help you search elsewhere someone that can support you better

    Yea changed many providers and different ddos protections including Voxility, OVH and other in house based but not success. My current VPS provider have me on some permanent under attack mode because of the regular attacks so under that mode services like ping to my ip are blocked.

  • TinkuTinku Member

    @matteob I found the way to get real ip from CF. Is it possible to use synproxy on centos 6.8 with kernal 2.6 or the only way is installing centos 7?

  • sinsin Member

    @Tinku said:

    @Junkless said:
    Which log viewer ?

    Pimp My Log
    pimpmylog.com

    It's really cool with features to read nginx access log, error log and php error log with features like every x seconds refresh.

    Here's another cool website log viewer/stats tool: https://goaccess.io/releases#v1.0

  • I used pimp my log it's cool i hope they add the country name/flag feature in next update to make it even more easy to detect.

  • hi,
    no synproxy was included from 3.12 kernel and backported to centos 7.

    first check if you get layer 7 attack. use tcpdump during high load. good command is

    tcpdump -nn -vvv -XX

    you will see if is an attack and the pattern and you can block away. Or maybe best is choose a provider that offer layer 7 attack and technical support to identify de patterns. Provider like ovh and voxility are not l7.

  • TinkuTinku Member

    @matteob said:
    hi,
    no synproxy was included from 3.12 kernel and backported to centos 7.

    first check if you get layer 7 attack. use tcpdump during high load. good command is

    tcpdump -nn -vvv -XX

    you will see if is an attack and the pattern and you can block away. Or maybe best is choose a provider that offer layer 7 attack and technical support to identify de patterns. Provider like ovh and voxility are not l7.

    thanks i will try it out and will also confirm with my provider if they have layer 7 enabled.

  • jh_aurologicjh_aurologic Member, Patron Provider

    @Tinku said:
    So i tried to connect to my VPS through the VNS in panel and all i am seeing is this i don't know whats going on looks like flood?

    Screenshot

    The reason is simple, each new connection generates a syn packet which must get processed. If you have a few hundreds or thousand connections, you will have a situation which may look like a synflood, but it isnt - it's simply a layer7 flood which generates these warnings which where generated by your software firewall ;)

  • TinkuTinku Member

    @Kabeldamagement said:

    @Tinku said:
    So i tried to connect to my VPS through the VNS in panel and all i am seeing is this i don't know whats going on looks like flood?

    Screenshot

    The reason is simple, each new connection generates a syn packet which must get processed. If you have a few hundreds or thousand connections, you will have a situation which may look like a synflood, but it isnt - it's simply a layer7 flood which generates these warnings which where generated by your software firewall ;)

    But these warning also appear on my putty screen when i leave my ssh open for a while?

Sign In or Register to comment.