How to stop site getting hit by same IP

[UKSBD]

My Site has been getting hit by the same IP number all afternoon over 200,000 times in past few hours which has been resulting in 508 resource limit errors.

I've tried blocking it in IP blocker in cPanel, tried redirecting in htaccess but still no joy.

I've temporarily taken the site offline so it is getting 404 errors, but it's still hitting the site at a rate of 20+ hits a second.

Anyone know why IP blocker isn't stopping this and what I can do about it?

 

[Graham Tyers]

I don't use cpanel so not sure what the IP blocker does.

Presuming it's blocked the input chain, the chances are it's a spoofed packet attack or xmas tree attack.

I darent guess some iptables rules for you - don't want to stuff the box - but the server admin can fix it pretty easily.

 

[UKSBD]

Thanks,

Hits are still coming at 20+ a second even though I've taken all the files down

Also getting an equal mixture of GET and HEAD requests, would that indicate someone up to no good?

 

[Graham Tyers]

It could be someone's robot has gone rogue, or a dos attempt, or any manner of things.

Where is the IP address hosted that's hitting you from.

If you can email the abuse contact they should be able to take the host down.

 

[UKSBD]

It looks like a plus.net IP number Brightview in Sheffield.

I've emailed abuse@ hopefully they will do something about it.

 

[nahosting]

Speak to your hosting company as they should be able to help you and could add the IP to their firewall if it is causing issues. Hope you get it sorted.

All the best.
Chris

 

[UKSBD]

I've just downloaded my logs, 730,000+ hits now since yesterday afternoon, I can't get rid of it

I'll get my host to have a look.

 

[Paul Norman]

If your web hosting people are any good, they will block it for you. If they were really good, they would already have done so.

 

[UKSBD]

I emailed him just after my last post, he blocked it, I reloaded files and all fine now.

Is blocking an IP at that level only something the host can do, or can I do it without having to pester my host?

 

[Graham Tyers]

You should definitely be able to block a single IP address making straightforward HTTP requests. That's pretty routine.

Anything out of the ordinary might need intervention by whoever controls the firewall. It's difficult to say as there are plenty of different ways to set up hosting.

 

[UKSBD]

I think I have found out why I couldn't block it myself

I have a pretty complicated htaccess file (400+ lines) and the deny code was added to the bottom.

Is it best to have it at the top?

 

[Graham Tyers]

In the web server config it'll define the order that allows and denies are applied.

Putting the deny at the top is what I do - it saves the server having to do rewrites and redirects for ip addresses that you're going to block anyway.

It's probably better though to block IP addresses before the web server even has to deal with the traffic. If you have hosting that allows you to have your own firewall rules that's better for protection but far easier to mess up!

Anyone who plays with firewalls will have un-fond memories of the first day they firewalled themselves off their own server.

 

[NuBlue]

I've just downloaded my logs, 730,000+ hits now since yesterday afternoon, I can't get rid of it

I'll get my host to have a look.

Nothing to add to the good advice re firewalling the IP that you've already been given but seeing as you've downloaded the log files, if you want to try a good, currently free, log analyser to see what that IP has been up to then take a look at http://www.statspire.com/. I happened across it by chance and it's an excellent log analyser.

 

[KM-Tiger]

Anyone who plays with firewalls will have un-fond memories of the first day they firewalled themselves off their own server.

Yes, got that T-shirt some years ago.

Though haven't had to wear it since.

 

[Graham Tyers]

I have a pretty complicated htaccess file (400+ lines) and the deny code was added to the bottom.

It's worthwhile adding that performance-wise you're far better not using a .htaccess file if you can help it. The server has to recompile rewrite rules every time that directory is visited.

If you can put the rules in your server config file in stead, that's better for performance. From a security point of view world-writable .htaccess files with full override permissions is also asking for trouble.

 

[ryedale]

Yes, got that T-shirt some years ago.

Though haven't had to wear it since.

It's something you learn the hard way !

First thing I always do now when setting up a new server is whitelist the office IP

 

[Graham Tyers]

It's something you learn the hard way !

First thing I always do now when setting up a new server is whitelist the office IP

ditto.

 

[Bradley Holmes]

If you find this happening again I would look into a cloudflare account.
They can filter out attacks like this before they hit your server because at the moment they could just come back with a different IP and start the attack all over again.

 

[UKSBD]

My host has added me to the firewall access list now via WHM so I can go in and block at server level if I want to.

I don't really understand too much about these things so will leave alone as much as possible.
What he did say was there was no sign of any problem on the server, it's set up in a way that sites are kept separate so if one site gets hit really hard it won't effect others.

My resource limits are switched right up and all seems a lot better now.

 

[NuBlue]

My experience is that when you block this sort of activity, they don't switch to another IP and try again. The fact that you blocked it shows you're aware of what they're doing and you'd do it again if they tried. More likely to move on to someone else's site.

What is possibly unusual is only trying from one IP address. As well as the IP with 200K hits, are there any others with higher than usual hit counts?

 

[UKSBD]

There are a few others around the 3,000 mark but they tend to be recognisable, Yahoo/Slurp, bingbot, exabot, etc.

Also get hit hard by the site explorers like Majestic and hrefs so have blocked them for a bit too via my robots.txt

I'll keep an eye on my logs more and at least I know how to stop them now if I do see any that look as though they are up to no good.

 

[NuBlue]

As well as checking hits by IP, you should also look at hits by pages/file. This can highlight brute force attempts where the attack comes from a multitude of infected machines.

 

[BarnaB]

Just a thought...any chance they where hitting the xmlrpc.php file ?

 

[Alan]

Thread is a month old, worth checking the dates of posts before trying to help.

 

[BarnaB]

I have seen the date, but haven't seen an answer to wrap things up, hence my question based on the OP.

xmlrpc.php was a big issue lately and needed a simple deny code added to htaccess to stop any activity toward the system. (multiple requests in 1 request mainly)

Thanks

 

[threenine]

You can put a block in .htaccess file (if your website is hosted on a apache server)
check out my blog post I wrote a couple of years ago on how to block referrer spam for basic guidelines. http://garywoodfine.com/blocking-referrer-spam/

 

[UKSBD]

Just a thought...any chance they where hitting the xmlrpc.php file ?

No, just hitting multiple files.

I constantly get bombarded by IP ranges.

When it is the same IP my host has set me up a system (configserver) so I can block from the whole server, when it is ranges I deny in htaccess

I will ask him if I can block ranges using configserver

I had million+ hits the other day claiming to be googlebot but coming from 38.*.*.*
When they are hitting real hard I get intermittent 508 errors

Got someone on at the moment causing problems

 

[UKSBD]

You can put a block in .htaccess file (if your website is hosted on a apache server)
check out my blog post I wrote a couple of years ago on how to block referrer spam for basic guidelines. http://garywoodfine.com/blocking-referrer-spam/

I use deny from in my htaccess but also use configserver to block from whole server.

 

[BarnaB]

Ok here is a basic question (seen this type of issue quite a few times) Are you on a shared hosting ?

-if yes : what other sites are on your IP address....if there is anything hacked, doggy you will stay in this situation no matter what you do.

if yes but with dedicated IP address : ask your host to change you IP address and see if it stops.

If VPS, dedicated server: same as above get a new clean IP address. My latest similar client has been moved to a hosting company i recommend and his constant attacks have stopped instantly (never mind the host but IP address has changed with it too)

 

[UKSBD]

It's on shared hosting but with very few others and a host/developer who keeps an eye on things.

I would think the nature of the site, makes it a target for scrapers

 

[threenine]

We also make use of sucuri firewall on all our hosting servers, which has reduced and some cases eliminated DOS attacks on our servers https://sucuri.net/website-firewall/

 

[BarnaB]

It's on shared hosting but with very few others and a host/developer who keeps an eye on things.

I would think the nature of the site, makes it a target for scrapers

I'm happy to help but i would need more information...If you like send me a PM and we can talk about site information in private

 

[UKSBD]

Do you not think it is a bit disrespectful that there are people replying who have been members for years with 100's/1000's of posts and you join up today, have 4 posts and want me to PM to talk about this in private?

 

[marble_pars]

Might be worth using Cloudflare, it will help with this kind of problem and you can easily block the IP using Cloudflares firewall should they not do it automatically.

 

[BarnaB]

Do you not think it is a bit disrespectful that there are people replying who have been members for years with 100's/1000's of posts and you join up today, have 4 posts and want me to PM to talk about this in private?

Sorry but i don't think it is disrespectful at all, as nobody leaves private information out in the open forum. I am a direct person (you can see i have a real avatar too), private information is a concern (hence i never ask for it in the public) and i only tried to help. Now, if i have 100 posts would that be more useful than the helpful attitude and possible solution i might know?

If you think otherwise i am sorry, hope you will find a solution!

ps: being a reader of the forum for years, but never registered until now

 

[Alan]

We use fail2ban. Basically is scans logs and depending on rules, if it sees a certain type of activity it then blocks that IP at the firewall. e.g. the same activity from teh same IP for x events in y minutes, block the IP for 20 minutes, if they get blocked n time then block them for ever.

http://www.fail2ban.org/wiki/index.php/README

Despite the description talking about password attacks it works well with all sorts of attacks and you (or your dev rather) can write custom rules, e.g. I block any ip that is attempting to accessing certain urls where there is no legitimate reason for that and is just an attack 'footprint'.

Its pretty common tool. You should see if your developer host can set this up for you ( you won't as you are on a shared host and its an o/s level process.

Also, again, if your dev is managing the hosting make sure he has mod_security configured, this is essential to eliminate many sorts of attacks.

Good hosts should have this all nailed, but I'm not being negative about your dev, but if he has set up the hosting on a bare VPS for instance, he may not have the knowledge of how to really configure to block these attacks at the firewall.

 

[UKSBD]

We use fail2ban.

Good hosts should have this all nailed, but I'm not being negative about your dev, but if he has set up the hosting on a bare VPS for instance, he may not have the knowledge of how to really configure to block these attacks at the firewall.

I have this at the moment which I assume is similar?
http://www.configserver.com/cp/csf.html

I only have very restricted access though in case I mess anything up

I can block individual IP numbers at the moment, but not ranges
I'll have a word with him to see if I can have access to block whole ranges.

I think my guy is more of a dev who provides hosting rather than a host.

I've always preferred it that way though as host can't blame dev and vice versa, I've seldom had many problems over the past decade too.

I suspect he looks after me a lot better than any host would.

 

[quikshop]

With my old Ecommerce hosting service we had to fend off constant hack and DoS attacks. In the end we blocked every IP address from Asia, Africa, the Middle East and some Eastern European countries which reduced the hack attempts by over 95%.

On the plus side the hack attempts helped us beef up the website and databases built-in mitigation of attacks to the point were it became a monthly task to add a few mostly US IP addresses to the denied list in IIS.

The gains in performance and security in blocking that traffic wholesale far outweighed the few traders we lost due to limiting markets they could reach, and the cost of dealing with the constant flow of attacks.

 

[UKSBD]

I asked my host about blocking ranges from whole server and he has shown me how I can do it.

Problem is, it can potentially impact others on the server too and as I'm not 100% sure on what I am doing I think it's best I don't.

I'll stick to blocking obvious individual IP numbers from Server and the ranges just from my sites.

 

[astutiumRob]

Problem is, it can potentially impact others on the server too and as I'm not 100% sure on what I am doing I think it's best I don't.

They _really_ shouldn't be giving you the ability to block anything on a shared server - the potential for deliberate or accidental breakage is enormous !