• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

Question Trident & Presto Bot Attacks – Large Number of IPs Detected | Fail2Ban

WebHostingAce

WebHostingAce

Silver Pleskian
Server operating system version
AlmaLinux 8.10 (Cerulean Leopard)
Plesk version and microupdate number
Plesk Obsidian 18.0.71 Update #2
Hi everyone,

I’m currently experiencing heavy attacks from bots using Trident and Presto user agents.

At first, I tried adding these bots to the plesk-apache-badbot jail in Fail2Ban, but this quickly led to over 100,000 IP addresses being discovered.

Since that number is extremely high, I decided to configure and use the iptables-ipset-proto6-allports action in Fail2Ban to handle the blocking more efficiently.

My main questions are:

1. Why am I seeing such a large number of unique IPs?

2. Are these real IP addresses, or are the requests being spoofed somehow?

3. Is there a more effective approach for dealing with these kinds of botnets? (without the CloudFlare)

Any advice or insights would be greatly appreciated.

Thank you!
 
Hi,

We recently had a similar problem where fail2ban blocked some 300,000 IP addresses. The system was sluggish, and the IRQ scheduling process used most of the CPU. After flushing the BadBot jail from iptables the system recovered instantly. Restarting Fail2Ban, tried to load all the IP addresses in iptables.

Most of the requests in our case were blocked at the Nginx level using Nginx Bad Bot Blocked. However, the Fail2Ban jail also matched the blocked requests with HTTP code 444, thus also added the IP to the BadBot jail. You can modify the jail to block only after several requests, by default is 1 request, or match only specific HTTP codes.

> 1. Why am I seeing such a large number of unique IPs?

We've observed large networks sourcing requests for whoever buys the traffic, including LLM bots scraping the internet

> 2. Are these real IP addresses, or are the requests being spoofed somehow?

I think they are real IP addresses

> 3. Is there a more effective approach for dealing with these kinds of botnets? (without the CloudFlare)

You can use a combination of Bad Bot Blocker and BotStopper to block bots and bad actors.
 
@Raul A. Thank you for the reply.

I have disabled the plesk-apache-badbot jail and created a new jail with

Code: 
[apache-badbot-custom]
enabled = true
filter = apache-badbots
action = iptables-ipset-proto6-allports[name="badbots-custom", protocol="all", ipsettype="hash:ip", maxelem="262144"]
logpath = /var/www/vhosts/system/*/logs/*access*log
/var/log/httpd/*access_log
maxretry = 1

I'm using,

github.com

fail2ban/config/action.d/iptables-ipset.conf at master · fail2ban/fail2ban

Daemon to ban hosts that cause multiple authentication errors - fail2ban/fail2ban
github.com github.com
github.com

fail2ban/config/action.d/iptables-ipset-proto6.conf at master · fail2ban/fail2ban

Daemon to ban hosts that cause multiple authentication errors - fail2ban/fail2ban
github.com github.com

Also in NGINX,

# Block UAs containing "Presto" or "Trident"
if ($http_user_agent ~* (Presto|Trident)) {
return 403;
}

My sites are Magento 2 websites. I'm not sure what else to do.

131,789 IPs detected and counting.
 
You must log in or register to reply here.

Similar threads

Jürgen_T
Question Massive Brute-Force Attacks on Plesk Panel – Looking for Additional Protection Measures
Replies
15
Views
4K
Franky H
F
danami
Resolved Juggernaut Security and Firewall Plesk Addon
5 6 7
Replies
123
Views
53K
papahausa
papahausa
Back
Top