1

One of my virtual hosts running Apache is experiencing an influx of over 30,000 IP connections attempting to access non-existent URLs. Here's an example log entry:

62.74.16.240 - - [13/Sep/2023:14:24:46 +0200] "GET /741418kipgo9lrffo7rv2z/ HTTP/1.1" 404 20587 "-" "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36"

These connections primarily originate from countries such as India, Pakistan, Nepal, Bangladesh, among others. I've implemented fail2ban to block these malicious attempts, but they persist relentlessly, rendering the VPS practically unusable.

In an effort to mitigate the issue, I've also employed Cloudflare with the "I am under attack" option. While this approach restores server functionality, it adversely affects our SEO score due to Cloudflare's intermediary position between the server and incoming traffic. Striking a balance between security and maintaining our SEO ranking is now of utmost importance.

Do you have any solutions or experiences to share regarding this issue?

It's indeed frustrating that despite the extensive list of logged IP addresses, there's no straightforward way to contact each respective provider to alert them about their clients unwittingly being used as part of this botnet.

Gold24k
  • 19
  • 1

1 Answers1

2

Using CloudFlare is a great way to mitigate attacks. You can look for patterns in the attacks and filter them using CloudFlare's tools. Perhaps a common user agent, IP block, or the target urls they are using. You can even target a whole country for exclusion if you need to.

Another approach is to optimize your 404 response codes. In the log you sent, it sends 20587 bytes (around 20K) response. You can reduce it in htaccess like this:

ErrorDocument 404 "File Not Found"

That will reduce your response to about less than 20 bytes, reducing your server's load (when hit by 30K assaults).

Also, ensure that your server computes 404 pages fast. If there's a bottleneck due to a missing database index for example, it may be taking too long for the server to determine it should reply with a 404, and the attackers are taking advantage of that fact.

There are other things you can try. For instance, setting up a second VPS to act as a load balancer, having separate servers for web and your database, etc. They cost money, but allow you to scale and manage numerous incoming connections.

In general, the "I'm under attack" mode should be used as an emergency and temporary measure, but not as a long term solution.

Luis Alberto Barandiaran
  • 2,593
  • 6
  • 10