Problems with layer 7

nullroutenullroute Hosting Provider

Hello my dear friends of this beloved forum.
As everyone knows, most schools, if not all schools are closed and with that all the kids are on the loose (burn the witch)!
I work with sales of minecraft hosting and recently I am having problems with DDoS Layer 7 attacks that make my php-fpm just overflow CPU usage.
I use nginx + php fpm.

I need urgent help to remedy this problem. I will be grateful for those who help me.

Here is a screenshot of the attack:

https://purplehost.com.br - Reliable, secure and affordable game hosting.

Comments

  • ClouviderClouvider Hosting ProviderOG

    Appears to be just one IP. Why not block it on the firewall ?

  • nullroutenullroute Hosting Provider

    @Clouvider said:
    Appears to be just one IP. Why not block it on the firewall ?

    It is one of thousands of IPS, ufw did not solve ;(

    https://purplehost.com.br - Reliable, secure and affordable game hosting.

  • Cloudflare with mode security on

  • nullroutenullroute Hosting Provider

    @MIonel said:
    Cloudflare with mode security on

    Without results, for some reason this type of attack passes the firewall and js challenge of cloudflare.

    https://purplehost.com.br - Reliable, secure and affordable game hosting.

  • @nullroute said:

    @MIonel said:
    Cloudflare with mode security on

    Without results, for some reason this type of attack passes the firewall and js challenge of cloudflare.

    Have you changed IP? They might be just accessing your IP directly, which obviously bypasses Cloudflare security. Or, you might want to enable CAPTCHA and disable privacypass

  • nullroutenullroute Hosting Provider

    Have you changed IP? They might be just accessing your IP directly, which obviously bypasses Cloudflare security. Or, you might want to enable CAPTCHA and disable privacypass

    I have enabled captcha, I am looking forward to receiving new attacks.

    https://purplehost.com.br - Reliable, secure and affordable game hosting.

  • webmashwebmash Services Provider

    @nullroute Hope everything works itself out - Script kiddies are the worst! :angry:

    Thanked by (1)nullroute
  • @nullroute have you tried blocking by referer header?

  • atomiatomi OG
    edited March 2020

    You could try atleast try to slow that attack with nginx conf and enable some kind of ratelimiting to that authscript
    Something like this (prolly doesnt work as I'm writing this out of my head) but put inside http-block:
    limit_req_zone $binary_remote_addr zone=authlogin:8m rate=10r/m;
    and then inside vhost server-block:
    location ~* /auth/login { limit_req zone=authlogin nodelay; }

    Needs fine tuning and proper testing but you can easily try and see if it would help

    Thanked by (1)nullroute
  • nullroutenullroute Hosting Provider

    UPDATE

    Limiting the number of requests per page was totally ineffective, this only increased the CPU usage by php fpm.

    The definitive solution was to block access from other countries to the URL through the cloudflare firewall.

    Thanked by (1)atomi

    https://purplehost.com.br - Reliable, secure and affordable game hosting.

  • AK_KWHAK_KWH Hosting ProviderOG

    Why not u change the wp login url ? Why not you enable the captcha ? Why not u enable the DDoS Protection by CL why not ur using CsF to block ips connection when it exceeds the number of connections

    KhanWebHost Cheap Shared Hosting | Cheap KVM VPS (DE,UK,US,FR) | KVM Sale - LES Offers

  • AK_KWHAK_KWH Hosting ProviderOG

    If all this cnt solve then go with bitninja :) ask them to fix it for u if u dont know hw to fix they will charge few $

    KhanWebHost Cheap Shared Hosting | Cheap KVM VPS (DE,UK,US,FR) | KVM Sale - LES Offers

  • nullroutenullroute Hosting Provider

    @AK_KWH said:
    Why not u change the wp login url ? Why not you enable the captcha ? Why not u enable the DDoS Protection by CL why not ur using CsF to block ips connection when it exceeds the number of connections

    I don't use wp, captcha is enabled and all pages have google recaptcha. Cloudflare DDoS protection has also always been active (orange cloud).

    This attack method seems to circumvent the protection of cloudflare by making real requests, but luckily I have already solved it.

    Thanked by (1)AK_KWH

    https://purplehost.com.br - Reliable, secure and affordable game hosting.

Sign In or Register to comment.