Issue 600 requests in one second: How to prevent this attack

ahoi · Aug 18, 2021

Hello everybody,

one of my servers is facing recurring "attacks" like this:

Bash:

/var/log/nginx/access.log
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /backup HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /newsite HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET / HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /old HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /test HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /wordpress HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /wp HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /cms HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /main HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /blog HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /new HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /dev HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /cms HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /new HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /blog HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /backup HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /dev HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /dev HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /main HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /newsite HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /cms HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /backup HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET / HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /wp HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /old HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET / HTTP/1.1" 301 162 "-" "-"

I truncated the full logs, but altogether there are more than 1000 requests made in one or two seconds.

I am thinking about some rate-limiting using iptables, but maybe Plesk is already providing something built-in which I did not found out yet?

Love to get some advice

IgorG · Aug 18, 2021

What DDoS protection tools are available in Plesk

Applicable to: Plesk for Linux Plesk for Windows Question What DDoS protection tools does Plesk have? Answer The following extensions for Plesk help mitigate DDoS attacks: (D)DoS Deflate Inter...

support.plesk.com

tkalfaoglu · Aug 19, 2021

Try mod evasive.. How to Install and Configure ModEvasive with Apache on Ubuntu 18.04

danami · Aug 19, 2021

Our Juggernaut Firewall extension can deal with easily:

How can I block DDoS attacks using Juggernaut Firewall? - Knowledgebase - Danami

Issue 600 requests in one second: How to prevent this attack

ahoi

Basic Pleskian

IgorG

Plesk addicted!

What DDoS protection tools are available in Plesk

tkalfaoglu

Silver Pleskian

danami

Silver Pleskian

Similar threads