DDos Attack on us using random quires

AladdinJ

Member
Jul 23, 2020
15
3
3
UAE
cPanel Access Level
Root Administrator
Hello

our server is under attack

I did this How To Survive a DDoS Attack | cPanel Blog

it helped but

they still able to take down the main website
"previously all websites on the server was going down, now only the website hey hit goes offline the else websites works normally "

any way I have checked the log on the attacked website


this is most of his request:

Code:
51.255.106.85 - - [16/Dec/2021:10:37:54 +0100] "HEAD /?u84813945151Z2690719641419r2632231977589117636225589i HTTP/1.1" 403 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0"
51.255.106.85 - - [16/Dec/2021:10:37:54 +0100] "HEAD /?290206705398r136794268179AC40222925068K248148362537k HTTP/1.1" 403 - "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Googlebot/2.1; +http://www.google.com/bot.html) Chrome/90.0.4430.212 Safari/537.36"
51.255.106.85 - - [16/Dec/2021:10:37:54 +0100] "HEAD /?X38011434562K35061746785p9225801285207a241921794963o HTTP/1.1" 403 - "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
51.255.106.85 - - [16/Dec/2021:10:37:54 +0100] "HEAD /?i77634682292v168274066985yd55399268630399988845001a HTTP/1.1" 403 - "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Googlebot/2.1; +http://www.google.com/bot.html) Safari/537.36"
162.247.74.200 - - [16/Dec/2021:10:37:54 +0100] "HEAD /?g102659062775B1194572446H0267260279959O100208515458O HTTP/1.1" 403 - "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"
51.255.106.85 - - [16/Dec/2021:10:37:54 +0100] "HEAD /?E124847727740b143309005567Hn225897319396108727819Z HTTP/1.1" 403 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0"
162.247.74.200 - - [16/Dec/2021:10:37:54 +0100] "HEAD /?4191441626984I245203176628of141064113673U241309427306Z HTTP/1.1" 403 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:51.0) Gecko/20100101 Firefox/51.0"
51.255.106.85 - - [16/Dec/2021:10:37:54 +0100] "HEAD /?T109854196071d29835225966MH1687696758A109863120226V HTTP/1.1" 403 - "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Googlebot/2.1; +http://www.google.com/bot.html) Chrome/90.0.4430.212 Safari/537.36"
162.247.74.200 - - [16/Dec/2021:10:37:54 +0100] "HEAD /?6239917323063i118022281404py94964673518q149849813482s HTTP/1.1" 403 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0"
107.174.138.172 - - [16/Dec/2021:10:37:54 +0100] "HEAD /?i104599548543n260382449202he29664656145t177405153Y HTTP/1.1" 403 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0"
51.255.106.85 - - [16/Dec/2021:10:37:54 +0100] "HEAD /?f2054522981450225179331719TQ231934391921F103560510348G HTTP/1.1" 403 - "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0"
162.247.74.200 - - [16/Dec/2021:10:37:54 +0100] "HEAD /?u153971248180u558699828459g151496091314v136768287082 HTTP/1.1" 403 - "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Googlebot/2.1; +http://www.google.com/bot.html) Safari/537.36"
162.247.74.200 - - [16/Dec/2021:10:37:54 +0100] "HEAD /?O22684601857a10875947659dT5429980087158730296233 HTTP/1.1" 403 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0"
51.255.106.85 - - [16/Dec/2021:10:37:54 +0100] "HEAD /?u84813945151Z2690719641419r2632231977589117636225589i HTTP/1.1" 403 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0"
162.247.74.200 - - [16/Dec/2021:10:37:54 +0100] "HEAD /?g102659062775B1194572446H0267260279959O100208515458O HTTP/1.1" 403 - "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"
162.247.74.200 - - [16/Dec/2021:10:37:54 +0100] "HEAD /?4191441626984I245203176628of141064113673U241309427306Z HTTP/1.1" 403 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:51.0) Gecko/20100101 Firefox/51.0"
162.247.74.200 - - [16/Dec/2021:10:37:54 +0100] "HEAD /?6239917323063i118022281404py94964673518q149849813482s HTTP/1.1" 403 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0"
107.174.138.172 - - [16/Dec/2021:10:37:54 +0100] "HEAD /?i104599548543n260382449202he29664656145t177405153Y HTTP/1.1" 403 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0"
162.247.74.200 - - [16/Dec/2021:10:37:54 +0100] "HEAD /?u153971248180u558699828459g151496091314v136768287082 HTTP/1.1" 403 - "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Googlebot/2.1; +http://www.google.com/bot.html) Safari/537.36"
162.247.74.200 - - [16/Dec/2021:10:37:54 +0100] "HEAD /?O22684601857a10875947659dT5429980087158730296233 HTTP/1.1" 403 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0"
162.247.74.200 - - [16/Dec/2021:10:37:54 +0100] "HEAD /?g102659062775B1194572446H0267260279959O100208515458O HTTP/1.1" 403 - "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"
162.247.74.200 - - [16/Dec/2021:10:37:54 +0100] "HEAD /?4191441626984I245203176628of141064113673U241309427306Z HTTP/1.1" 403 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:51.0) Gecko/20100101 Firefox/51.0"
162.247.74.200 - - [16/Dec/2021:10:37:54 +0100] "HEAD /?6239917323063i118022281404py94964673518q149849813482s HTTP/1.1" 403 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0"
107.174.138.172 - - [16/Dec/2021:10:37:54 +0100] "HEAD /?i104599548543n260382449202he29664656145t177405153Y HTTP/1.1" 403 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0"
162.247.74.200 - - [16/Dec/2021:10:37:54 +0100] "HEAD /?u153971248180u558699828459g151496091314v136768287082 HTTP/1.1" 403 - "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Googlebot/2.1; +http://www.google.com/bot.html) Safari/537.36"
162.247.74.200 - - [16/Dec/2021:10:37:54 +0100] "HEAD /?g102659062775B1194572446H0267260279959O100208515458O HTTP/1.1" 403 -
171.242.233.129 - - [16/Dec/2021:10:37:38 +0100] "GET /?J97422144650d109588093179Kw40680175417F107495743155o HTTP/1.1" 200 96899 "https://www.facebook.com/ourdomain.com/" "Mozilla/5.0 (compatible; MSIE 81.0; WindowsCE; Win64; x64; Trident/55.0)"
107.189.28.102 - - [16/Dec/2021:10:37:42 +0100] "GET /?f221220786307Y3681943987741132532349880w143360758288h HTTP/1.1" 200 477647 "-" "Mozilla/5.0 (Intel Mac OS X) AppleWebKit/544.0 (KHTML, like Gecko) Chrome/30.03351.288 Safari/544"
104.244.72.36 - - [16/Dec/2021:10:37:47 +0100] "GET /?2236790920764X5032740482Iu122583606040&120344209422p HTTP/1.1" 200 96899 "https://www.facebook.com/ourdomain.com/" "Mozilla/5.0 (compatible; MSIE 70.0; PPC; Win64; IA64; Trident/24.0)"
104.244.72.36 - - [16/Dec/2021:10:37:47 +0100] "GET /?M231919415764B44268499252Zl92361882592t156134226644D HTTP/1.1" 200 477647 "https://www.google.am/search?q=ourdomain.com/" "Mozilla/5.0 (Linux i686) AppleWebKit/577.0 (KHTML, like Gecko) Chrome/27.03588.257 Safari/577"
104.244.72.36 - - [16/Dec/2021:10:37:48 +0100] "GET /?u197071174994c19833515102l21407242567189216430532622G HTTP/1.1" 200 477647 "https://www.google.am/search?q=ourdomain.com/" "Mozilla/5.0 (Linux i686) AppleWebKit/577.0 (KHTML, like Gecko) Chrome/27.03588.257 Safari/577"
104.244.72.36 - - [16/Dec/2021:10:37:48 +0100] "GET /?p160489479088W427993461962h148123955114R160596249309K HTTP/1.1" 200 477647 "https://www.google.am/search?q=ourdomain.com/" "Mozilla/5.0 (Linux i686) AppleWebKit/577.0 (KHTML, like Gecko) Chrome/27.03588.257 Safari/577"
104.244.72.36 - - [16/Dec/2021:10:37:48 +0100] "GET /?4258306279933e1376584104102H21624992169281194235517022 HTTP/1.1" 200 477647 "https://www.google.am/search?q=ourdomain.com/" "Mozilla/5.0 (Linux i686) AppleWebKit/577.0 (KHTML, like Gecko) Chrome/27.03588.257 Safari/577"
104.244.72.36 - - [16/Dec/2021:10:37:48 +0100] "GET /?B497772049611264647715178fP253513756329Y126430720626r HTTP/1.1" 200 477647 "https://www.google.am/search?q=ourdomain.com/" "Mozilla/5.0 (Linux i686) AppleWebKit/577.0 (KHTML, like Gecko) Chrome/27.03588.257 Safari/577"
104.244.72.36 - - [16/Dec/2021:10:37:48 +0100] "GET /?a103579390195D189089202526BH38429900582L81437088203D HTTP/1.1" 403 477647 "https://www.google.am/search?q=ourdomain.com/" "Mozilla/5.0 (Linux i686) AppleWebKit/577.0 (KHTML, like Gecko) Chrome/27.03588.257 Safari/577"
104.244.72.36 - - [16/Dec/2021:10:37:48 +0100] "GET /?S7167073048u2132651768760p61104868047N270837139414a HTTP/1.1" 403 477647 "https://www.google.am/search?q=ourdomain.com/" "Mozilla/5.0 (Linux i686) AppleWebKit/577.0 (KHTML, like Gecko) Chrome/27.03588.257 Safari/577"
104.244.72.36 - - [16/Dec/2021:10:37:48 +0100] "GET /?V242831865013L332402871442y234369115058014198077755H HTTP/1.1" 403 477647 "https://www.google.am/search?q=ourdomain.com/" "Mozilla/5.0 (Linux i686) AppleWebKit/577.0 (KHTML, like Gecko) Chrome/27.03588.257 Safari/577"
104.244.72.36 - - [16/Dec/2021:10:37:48 +0100] "GET /?a2359962748046380315663648P706116273936175692944072i HTTP/1.1" 403 477647 "https://www.google.am/search?q=ourdomain.com/" "Mozilla/5.0 (Linux i686) AppleWebKit/577.0 (KHTML, like Gecko) Chrome/27.03588.257 Safari/577"
104.244.72.36 - - [16/Dec/2021:10:37:48 +0100] "GET /?349746264095k115875540843TY2251828463669139461734842V
note: replaced our real domain with "ourdomain.com"

my question is: is there any way we can block this type of request using mod security or something else so we can take him down

I would appreciate any kind of help


thanks in advance
 

quietFinn

Well-Known Member
Feb 4, 2006
1,649
323
438
Finland
cPanel Access Level
Root Administrator
my question is: is there any way we can block this type of request using mod security or something else so we can take him down
For me it looks like many of those requests are blocked by ModSecurity. If so and if you are using CSF you can use CSF's setting LF_MODSEC to block those IPs.
 

AladdinJ

Member
Jul 23, 2020
15
3
3
UAE
cPanel Access Level
Root Administrator
Hello! While not supported by cPanel officially, CSF firewall can help with these types of attacks. However, I do see you read the blog post which suggests that already. Did you already try to use CSF? Ultimately, reaching out to your hosting provider or data center might be the best bet.
CSF installed and modsec activated but they didn't defeat this type of requests
 

quietFinn

Well-Known Member
Feb 4, 2006
1,649
323
438
Finland
cPanel Access Level
Root Administrator
What are your settings for LF_MODSEC & LF_MODSEC_PERM ?