attacked by 100s of POST requests

[xbaha]

hi,
is there any module in cpanel that limits how may connections per ip per 1 minute?
i am getting 100s of requests like these:

Srv	PID	Acc	M	CPU	SS	Req	Conn	Child	Slot	Client	VHost	Request
0-80	14688	0/10/494	_	2.34	0	881	0.0	0.14	6.82	54.243.185.88	xxxx.com:80	POST /holidays/ HTTP/1.1
1-80	14770	0/1/436	_	0.25	0	584	0.0	0.01	6.04	54.243.185.88	xxxx.com:80	POST /holidays/ HTTP/1.1
2-80	14696	0/12/224	_	2.65	1	1541	0.0	0.17	3.09	54.243.185.88	xxxx.com:80	POST /holidays/ HTTP/1.1

and id like to ban this ip for X amount of time after he reaches the limit.

please help, as these damn requests max the CPU, and for what?? god knows!!!

 

[Infopro]

Searching that IP I came across this:
/http://support.tinfoilsecurity.com/customer/portal/articles/955062-scanning-through-a-firewall

Do you have CSF installed?

 

[quizknows]

Does the URI /holidays/ or the file /holidays/index.php actually need to accept POST data? Like is there a login form or anything?

I see a lot of POST attacks trying for DoS, but usually just for "/" where they just post garbage data. The payload is literally something like AAAHHHHHHHHHHGGGGGGGGUUUUUUWWWWWWWBNNNNNNGGGGGGGGGGGGGGGG

If the URL "/holidays/" does not need to accept POST requests, then this is very easy to deny with ModSecurity.

SecRule REQUEST_URI "^\/holidays\/$" "deny,id:178465,chain"
SecRule REQUEST_METHOD "POST"

 

[xbaha]

/holiday has a post, i have a register form on all my website pages, so all the website can accept post.
this ip address is scanning all my website pages and make 1000s of posts to each page,
all the URLs this IP POSTs to are correct, i dont know of anyway to stop this attacker, so i was thinking to limit him after many requests per second!

and i dont have CSF installed, not sure if it does what i want...

- - - Updated - - -

i think i did register with this company early today!
i didnt know that it's going to be like this!
but in anyway, that's good to be aware of such an attack...

 

[Infopro]

You want CSF installed.

but in anyway, that's good to be aware of such an attack...

It was a scan, it seems. If it had been an actual attack, you'd probably be in far more trouble. Guessing of course.

Install CSF. It will be very helpful for many things you may not even know you want, yet.

 

[quizknows]

Rate limiting is certainly one option.

Another option is inspecting the POST data for things that should not be submitted. For example if the POST data contains invalid fields or the exact same data over and over, you can block requests based on those attributes using a more advanced ModSecurity rule.

Another good option is in many cases, post requests from bots/scans/attacks are missing the referring URL. Check your domain access logs to see if there is a referring URL. If there is not, then I could give you an easy modsecurity rule to block the POSTs that are missing referrer data (any real visitor will submit POSTs with a referrer)

 

[xbaha]

quiczknows, thank you.
i guess that's exactly what i want...
POSTs requests has no referring URL, please give me the method to block them...
thanks!

- - - Updated - - -

thank you,
i just installed CSF,
didnt want to block the ip, rather limit his connection per 30 seconds to 300...
lets see...

 

[quizknows]

Here is the rule to block the POSTs with no referrer. If you have cPanel/WHM 11.46 you can add it via WHM, otherwise add to your modsec2.user.conf file.

SecRule REQUEST_URI "^\/holidays\/$" "deny,id:178465,chain"
SecRule REQUEST_METHOD "POST" "chain"
SecRule &HTTP_REFERER "@eq 0"

If they start attacking a different url, you can copy that whole rule (all 3 lines) to a new rule, and change the REQUEST_URI and the rule id: number.

 

[xbaha]

Here is the rule to block the POSTs with no referrer. If you have cPanel/WHM 11.46 you can add it via WHM, otherwise add to your modsec2.user.conf file.

SecRule REQUEST_URI "^\/holidays\/$" "deny,id:178465,chain"
SecRule REQUEST_METHOD "POST" "chain"
SecRule &HTTP_REFERER "@eq 0"

If they start attacking a different url, you can copy that whole rule (all 3 lines) to a new rule, and change the REQUEST_URI and the rule id: number.

what if i need to do this to all my pages in the website???

 

[quizknows]

what if i need to do this to all my pages in the website???

You can easily deny all POST requests that don't have a referring URL. However, this occasionally stops legitimate things so you need to be prepared to make exceptions. For example, if you use wordpress, wp-cron.php posts to itself with no referrer.

I actually do this on my own server. This code would need to be manually added to the file /usr/local/apache/conf/modsec2.user.conf :

#Block any HTTP POST request that has no referring URL
SecRule &HTTP_REFERER "@eq 0" "deny,status:411,id:18749459,chain,msg:'POST request blocked, no referer'"
SecRule REQUEST_METHOD "POST"

#Wordpress posts to it's own cron file with no referring URL, whitelisting that URI
<LocationMatch "/wp-cron.php">
  SecRuleRemoveById 18749459
</LocationMatch>

I also use this rule too for general abuse prevention:

#Deny any HTTP request where both the user agent and referring URL are blank
SecRule &HTTP_REFERER "@eq 0" "deny,status:411,id:187945988,chain,msg:'No UA, No referer'"
SecRule &HTTP_User-Agent "@eq 0"

I have had very good luck with these, but I do not use them widely on customer servers; only my own.