Auto-Ban IP

Hello,

I've been getting many DDoS attacks lately, and having to manually ban the IP with APF, sometimes I'm not there to watch the site and it will go down for days on end.

So how would I [the best option] block IPs (using whatever method, preferably "apf -d x.x.x.x") automatically? I've got antidos but it doesn't seem to work?

x.x.x.x - - [16/Nov/2007:01:03:14 +0000] "GET http://www.example.com HTTP/1.0" 200 11680 "-" "-"
x.x.x.x - - [16/Nov/2007:01:03:14 +0000] "GET http://www.example.com HTTP/1.0" 200 11680 "-" "-"
x.x.x.x - - [16/Nov/2007:01:03:14 +0000] "GET http://www.example.com HTTP/1.0" 200 11680 "-" "-"
x.x.x.x - - [16/Nov/2007:01:03:14 +0000] "GET http://www.example.com HTTP/1.0" 200 11680 "-" "-"
x.x.x.x - - [16/Nov/2007:01:03:14 +0000] "GET http://www.example.com HTTP/1.0" 200 11680 "-" "-"
x.x.x.x - - [16/Nov/2007:01:03:14 +0000] "GET http://www.example.com HTTP/1.0" 200 11680 "-" "-"
x.x.x.x - - [16/Nov/2007:01:03:14 +0000] "GET http://www.example.com HTTP/1.0" 200 11680 "-" "-"
x.x.x.x - - [16/Nov/2007:01:03:15 +0000] "GET http://www.example.com HTTP/1.0" 200 11680 "-" "-"
x.x.x.x - - [16/Nov/2007:01:03:15 +0000] "GET http://www.example.com HTTP/1.0" 200 11680 "-" "-"
x.x.x.x - - [16/Nov/2007:01:03:14 +0000] "GET http://www.example.com HTTP/1.0" 200 11680 "-" "-"
x.x.x.x - - [16/Nov/2007:01:03:15 +0000] "GET http://www.example.com HTTP/1.0" 200 11680 "-" "-"

Code (markup):

Where x.x.x.x is the IP, that is in my server usage log - there was about 100 of those, this is just a clip of it - obviously that was a ddos attack, as there are 10+ requests for the index page only in a second - as well as there is no referrer information.

How would it be able to detect those from IPs that are just visiting pages with a lot of images and might rack up 40 requests in a second, that are legit requests?


Final question: Best option for automatically detecting and banning IPs that are DDoS attacking a website?


Thanks

 

You can try BFD/APF, the work great together.

BFD scans logs and send to APF the IPs that are exceeding connections, then apf does an "apf -d IP" and the IP is blocked.

Refer to http://rfxnetworks.com/bfd.php, there you will find more information.

Regards,

 

I will definitely give it a try, thank!

But I am wondering, will it cause a false alarm for legit users? Because looking in my logs, I see some IPs rack about 50 in a row, but they are legit (different images). I can tell if they aren't because they lack browser info and, of course, are all loading to the index only.

 

You can configure the way it handles abusive connections by editing /usr/local/bfd/conf.bfd, its configuration file.

It works very good with all servers we managed, you may give it a try and tweak the configuration file with your needs after reading the documentation.

Hope it helps

 

bfd won't help you, that works only if people try to login with wrong usernames or password (as bfd stands for Brute Force Detection).

Your first defense should be mod_evasive, this will automatically block IPs if they open too many connections. You can specify the amount of time they are banned.
If that os not enough: google for ddos_deflate and see if that helps better.

 

Thanks Ryan.

Yes, I just installed this and noticed that it was probably not what I wanted.

I will give that a try now

 

I would recommend ditching apf/bfd and use ConfigServers freely available csf/lfd package, it works extremely well, and provides a WHM interface so you don't need to log into the shell for banning or unbanning IP addresses.

It works very well, and can automatically update itself via cron. Much better than APF in my opinion, and lfd works great!

 

Okay, but question remains: is there a way to auto detect and auto ban with configservers?

 

Look into mod_evasive for Apache. If properly configured it may help you out.