Rocksolid Light

Welcome to Rocksolid Light

register   nodelist   faq  


rocksolid / rocksolid.nodes / Re: ddos defense for novabbs.com

SubjectAuthor
* ddos defense for novabbs.comRetro Guy
`* Re: ddos defense for novabbs.comanonymous
 `* Re: ddos defense for novabbs.comRetro Guy
  `- Re: ddos defense for novabbs.comanonymous

Subject: ddos defense for novabbs.com
From: Retro Guy@rslight.i2p (Retro Guy)
Newsgroups: rocksolid.nodes
Organization: Rocksolid Light
Date: Fri, 20 Dec 2019 08:05 UTC
While I have in place defense for i2p and tor, I did not for clearnet. The site has been brought down almost daily for a while now, so I finally did something about it.

I'm seeing blacklisting in the logs now, quite a bit, and the site is running much faster. This applies to news.novabbs.com(rslight) and www.novabbs.com(fudforum).

We'll see how it goes.

Retro Guy
--
Posted on Rocksolid Light


Subject: Re: ddos defense for novabbs.com
From: anonymous@anon.com (anonymous)
Newsgroups: rocksolid.nodes
Organization: def2
Date: Thu, 21 May 2020 19:22 UTC
care to describe what you did exactly ? and on which level of the stack ?
--
Posted on def2
z5bqfv5v75kxy7pj.onion


Subject: Re: ddos defense for novabbs.com
From: Retro Guy@rslight.i2p (Retro Guy)
Newsgroups: rocksolid.nodes
Organization: Rocksolid Light
Date: Fri, 22 May 2020 08:32 UTC
anonymous wrote:

care to describe what you did exactly ? and on which level of the stack ?

Most of what I was seeing was more than just rudely configured spiders (which tend to go through a site at a high rate of speed). I was seeing the same pages being requested very fast, over and over again from the same ip addresses. Since the addresses would be the same for a while, then completely new addresses, just blocking them would not work.

For tor this doesn't work, but for i2p (on the same machine) and clearnet, I've had great results with the nginx Limit Req Module http://nginx.org/en/docs/http/ngx_http_limit_req_module.html

From the site:
The ngx_http_limit_req_module module (0.7.21) is used to limit the request processing rate per a defined key, in particular, the processing rate of requests coming from a single IP address. If the requests rate exceeds the rate configured for a zone, their processing is delayed such that requests are processed at a defined rate. Excessive requests are delayed until their number exceeds the maximum burst size in which case the request is terminated with an error.
-------------

This does not protect against many types of attacks, but for just trying to shut the site down by overloading it, it's working very well. I've tied in the ip address logs to fail2ban to temporarily ban the offending ip addresses. Since setting this up, I have not needed to restart php-fpm or nginx a single time.

Retro Guy

--
Posted on: Rocksolid Light
news.novabbs.com



Subject: Re: ddos defense for novabbs.com
From: anonymous@anon.com (anonymous)
Newsgroups: rocksolid.nodes
Organization: def2
Date: Fri, 22 May 2020 10:50 UTC
The ngx_http_limit_req_module module (0.7.21) is used to limit the request processing rate per a defined key, in particular, the processing rate of requests coming from a single IP address. If the requests rate exceeds the rate configured for a zone, their processing is delayed such that requests are processed at a defined rate. Excessive requests are delayed until their number exceeds the maximum burst size in which case the request is terminated with an error.

he, that is almost exactly the same as i did for boxs, only in this case the functionality is in the script itself, not on the level of the webserver (and of course it is not ip based, because that would be useless on tor, but only goes by the total number of requests).
always a good sign if two parties come up with the same solution independently.
:-)

cheers

trw
--
Posted on def2
z5bqfv5v75kxy7pj.onion


1
rocksolid light 0.6.5e
clearnet i2p tor