[opencms-dev] Ddos attack

Andreas Ernst ae at ae-online.de
Thu Jun 23 18:26:00 CEST 2022 

Hi Andrew,

Am 23.06.22 um 14:05 schrieb Диканский Андрей Юрьевич via opencms-dev:
> Hello All!
> 
> 
> Our site is under ddos attack. We are using OpenCMS 10.5.4.
> 
> We have lots of entries in accecss log in apache like this:
> 
> 111.119.195.30 - - [20/Jun/2022:08:49:55 +0300] "GET / HTTP/1.1" 301 
> 6264 
> "http://www.villamagnoliarelais.com/plugins/system/plugin_googlemap2/plugin_googlemap2_proxy.php?url=https%3A//www.ncfu.ru/" 
> "Links (2.1pre20; NetBSD 2.1_STABLE i386; 145x54)"
> 
> We made apache rule in our config
> 
> RewriteCond “{HTTP_REFERER}” “plugin_googlemap2”
> 
> RewriteRule ^.*$ - [F]
> 
> Now we have 403 in access log in apache. But server still losses 
> connection. And we have timed out connection error.
> 
> We made another virtual machine with ngnix in order to filter traffic 
> and pass to openCms only filtered request.
> 
> But when we turn on our traffic with ngnix machine, openCms works a 
> little time and then failed. In open CMS log I can see error: 
> MySQLNonTransientConnectionException: Data source rejected establishment 
> of connection, message from server: “Too many connections”.
> 
> Ngnix server machine generates enormous traffic top openCms machine. And 
> it can not to manage it.
> 
> Log in ngnix looks like this:
> 
> - [23/Jun/2022:14:02:04 +0300] "GET /opencms/ HTTP/1.1" 301 -
> _10.200.1.88_ - - [23/Jun/2022:14:02:04 +0300] "GET /opencms/ HTTP/1.1" 
> 301 -
> _10.200.1.88_ - - [23/Jun/2022:14:02:04 +0300] "GET /opencms/ HTTP/1.1" 
> 301 -
> _10.200.1.88_ - - [23/Jun/2022:14:02:04 +0300] "GET /opencms/ HTTP/1.1" 
> 301 -
> _10.200.1.88_ - - [23/Jun/2022:14:02:04 +0300] "GET /opencms/ HTTP/1.1" 
> 301 -
> _10.200.1.88_ - - [23/Jun/2022:14:02:04 +0300] "GET /opencms/ HTTP/1.1" 
> 301 -
> _10.200.1.88_ - - [23/Jun/2022:14:02:04 +0300] "GET /opencms/ HTTP/1.1" 
> 301 -
> _10.200.1.88_ - - [23/Jun/2022:14:02:04 +0300] "GET /opencms/ HTTP/1.1" 301

this does not answer your question directly.

Why not use fail2ban, filter the access.log for 301 errors, with let's 
say 5 to 10 fails and then block this IP with the Firewall?

HTH
Andreas
-- 
ae | Andreas Ernst | IT Spektrum
Postfach 5, 65612 Beselich
Schupbacher Str. 32, 65614 Beselich, Germany
Tel: +49-6484-91002 Fax: +49-6484-91003
ae at ae-online.de | www.ae-online.de
www.tachyon-online.de

More information about the opencms-dev mailing list