Concurrent connections causing high load

[adeyjones]

Hi guys, me again, sorry!

OK so i've been experiencing an intermittent DDOS attack for a few months now, lasts about an hour, 3-4 times a day, targetting 2 specific sites on my server.

The measures i've put in place so far don't seem to have any effect and i'm just wondering why, I installed the mod_evasive module and I have the following config:

DOSPageCount 5
DOSSiteCount 10
DOSPageInterval 1
DOSSiteInterval 2
DOSBlockingPeriod 30

So if there is 5+ requests for the same page, or 10+ requests for the same site within 1 and 2 seconds respectively, then the IP should be denied, however according to the access log from my most recent attack just a few minutes ago, there are around 12 requests there within 2 seconds:

196.244.192.226 - - [27/Oct/2022:23:01:33 +0100] "POST /gdpr/ HTTP/1.1" 200 3069 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36"
196.244.192.226 - - [27/Oct/2022:23:01:33 +0100] "POST /gdpr/ HTTP/1.1" 200 3083 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063"
196.244.192.226 - - [27/Oct/2022:23:01:34 +0100] "POST /gdpr/ HTTP/1.1" 200 3068 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36"
196.244.192.226 - - [27/Oct/2022:23:01:33 +0100] "POST /gdpr/ HTTP/1.1" 200 3071 "-" "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0"
196.244.192.226 - - [27/Oct/2022:23:01:33 +0100] "POST /gdpr/ HTTP/1.1" 200 3087 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Safari/604.1.38"
196.244.192.226 - - [27/Oct/2022:23:01:33 +0100] "POST /gdpr/ HTTP/1.1" 200 3077 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0"
196.244.192.226 - - [27/Oct/2022:23:01:32 +0100] "POST /gdpr/ HTTP/1.1" 200 3071 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0"
196.244.192.226 - - [27/Oct/2022:23:01:33 +0100] "POST /gdpr/ HTTP/1.1" 200 163 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 (.NET CLR 3.5.30729)"
196.244.192.226 - - [27/Oct/2022:23:01:34 +0100] "POST /gdpr/ HTTP/1.1" 200 3084 "-" "Mozilla/5.0 (Linux; Android 6.0.1; SM-G610M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.80 Mobile Safari/537.36"
196.244.192.226 - - [27/Oct/2022:23:01:33 +0100] "POST /gdpr/ HTTP/1.1" 200 3085 "-" "Mozilla/5.0 (X11; CrOS x86_64 8530.96.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.154 Safari/537.36"
196.244.192.226 - - [27/Oct/2022:23:01:33 +0100] "POST /gdpr/ HTTP/1.1" 200 3077 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"
196.244.192.226 - - [27/Oct/2022:23:01:34 +0100] "POST /gdpr/ HTTP/1.1" 200 3080 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063"

 

[cPRex]

Hey there! It sounds like when the DoS happens it's just too much for the server to handle. It would be better to speak with your hosting provider or datacenter to see if they have any external solutions they can provide. If not, you may need to look into a tool like Cloudflare for more protection.

 

[adeyjones]

Thanks for the reply as always Rex. Unfortunately Cloudflare isn't an option for me.

Re mod_evasive, turns out I mustn't have restarted apache, I thought this was done when saving changes in EasyApache but obviously not, however with those settings it started banning genuine people so I disabled it.

Have since been playing with CT_Limit in CSF, and again I know you can't comment much about that as it's not cPanel software, but I had CT_Limit set at 150 connections, and when the attack occurred (around 6 hours ago) which usually lasts around 60 minutes it took 27 minutes for the IP to get blocked. So I then lowered CT_Limit to 100 connections and the attack re-occurred around an hour ago, this time it took about 31 minutes which is odd as I expected the time to be shorter, not longer. I've read recommendations not to have CT_Limit lower than 100 (although minimum setting is 10) but i'm tempted to lower to 50 and see what happens on the next attack.