Question Response to a DDOS attack
- rbader
- Topic Author
- Offline
- New Member
Less
More
3 months 1 week ago - 3 months 1 week ago #1
by rbader
Ruth
www.ruthsfamilyhistory.net/genealogy
webtrees 2.1.20
custom-css, fancy-imagebar, jc-research-links, jc-fancy-treeview, jc-simple-menu, jc-theme-justlight, repository_hierarchy
Response to a DDOS attack was created by rbader
Hi everyone
My genealogy website is currently experiencing a DDOS attack. I'm managing OK using Cloudflare but wondered if there is anything else I could or should do from a webtrees perspective (or anything related anyone knows about).
I'd appreciate any advice.
Thanks in advance.
My genealogy website is currently experiencing a DDOS attack. I'm managing OK using Cloudflare but wondered if there is anything else I could or should do from a webtrees perspective (or anything related anyone knows about).
I'd appreciate any advice.
Thanks in advance.
Ruth
www.ruthsfamilyhistory.net/genealogy
webtrees 2.1.20
custom-css, fancy-imagebar, jc-research-links, jc-fancy-treeview, jc-simple-menu, jc-theme-justlight, repository_hierarchy
Last edit: 3 months 1 week ago by rbader.
Please Log in or Create an account to join the conversation.
- fisharebest
- Offline
- Administrator
3 months 1 week ago #2
by fisharebest
Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net
Replied by fisharebest on topic Response to a DDOS attack
Is this a genuine *distributed* DOS attack - i.e. requests coming in from a large number of different networks, or are all the requests coming from a single robot/hacker/server/network?
If the latter, then webtrees has a way to block an entire network. Remember that the "internet" is ~100,000 separate networks. Each of these networks has a ID number ("ASN"), and webtrees can block ASNs.
To do this, you need to add a line to your data/config.ini.php:
block_asn="......"
The format is free-text. webtrees just looks for ASnnnn anywhere in the text, so you can add comments, etc.
Here's an entry for one of the sites that I host:
block_asn="AS24940=Hetzner,AS45102=Alibaba,AS45090=TenCent,AS14061=DigitalOcean,AS4808+AS4837=ChinaUnicom,AS57678=CatTechnogies"
The reason for this design is that we can run it before making a database connection, so we can block the request using minimal server resources.
There are online tools to show the ASN for an IP address.
If the latter, then webtrees has a way to block an entire network. Remember that the "internet" is ~100,000 separate networks. Each of these networks has a ID number ("ASN"), and webtrees can block ASNs.
To do this, you need to add a line to your data/config.ini.php:
block_asn="......"
The format is free-text. webtrees just looks for ASnnnn anywhere in the text, so you can add comments, etc.
Here's an entry for one of the sites that I host:
block_asn="AS24940=Hetzner,AS45102=Alibaba,AS45090=TenCent,AS14061=DigitalOcean,AS4808+AS4837=ChinaUnicom,AS57678=CatTechnogies"
The reason for this design is that we can run it before making a database connection, so we can block the request using minimal server resources.
There are online tools to show the ASN for an IP address.
Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net
Please Log in or Create an account to join the conversation.
- rbader
- Topic Author
- Offline
- New Member
3 months 1 week ago - 3 months 1 week ago #3
by rbader
Again, I really appreciate your advice. This is not something I expected to have to address on this type of website.
Ruth
www.ruthsfamilyhistory.net/genealogy
webtrees 2.1.20
custom-css, fancy-imagebar, jc-research-links, jc-fancy-treeview, jc-simple-menu, jc-theme-justlight, repository_hierarchy
Replied by rbader on topic Response to a DDOS attack
Thank you very much for responding, Greg. I've attached some screenshots from Statcounter and Cloudflare to show what's been going on. There was a sudden spike of 'new visitors' on Thursday local time (which made me realise the less pronounced spike on Tuesday, which I'd noticed but not looked into, was just a precursor). Since this started, there seem to have been one or more requests every few seconds from different locations and networks. Initially, most requests came via Hetzner and (supposedly) from locations in Germany. Since switching Cloudflare to 'I'm under attack' and adding targeted rules, the ASNs and countries have kept on changing, often every few seconds.Is this a genuine *distributed* DOS attack - i.e. requests coming in from a large number of different networks, or are all the requests coming from a single robot/hacker/server/network?
This is great to know, I'll add something along those lines. I've been suspicious about visits via Hetzner for a while but hadn't connected the dots.If the latter, then webtrees has a way to block an entire network. Remember that the "internet" is ~100,000 separate networks. Each of these networks has a ID number ("ASN"), and webtrees can block ASNs.
To do this, you need to add a line to your data/config.ini.php:
block_asn="......"
The format is free-text. webtrees just looks for ASnnnn anywhere in the text, so you can add comments, etc.
Here's an entry for one of the sites that I host:
block_asn="AS24940=Hetzner,AS45102=Alibaba,AS45090=TenCent,AS14061=DigitalOcean,AS4808+AS4837=ChinaUnicom,AS57678=CatTechnogies"
Yes, I can see all of that information in Cloudfare. I also found that most of the traffic seemed to come via Linux, so for now I'm blocking all of those. But I'm not sure if there are any inadvertent negative side effects to me doing so.There are online tools to show the ASN for an IP address.
Again, I really appreciate your advice. This is not something I expected to have to address on this type of website.
Ruth
www.ruthsfamilyhistory.net/genealogy
webtrees 2.1.20
custom-css, fancy-imagebar, jc-research-links, jc-fancy-treeview, jc-simple-menu, jc-theme-justlight, repository_hierarchy
Last edit: 3 months 1 week ago by rbader. Reason: Fixing quote formatting
Please Log in or Create an account to join the conversation.
- rbader
- Topic Author
- Offline
- New Member
3 months 1 week ago - 3 months 1 week ago #4
by rbader
Ruth
www.ruthsfamilyhistory.net/genealogy
webtrees 2.1.20
custom-css, fancy-imagebar, jc-research-links, jc-fancy-treeview, jc-simple-menu, jc-theme-justlight, repository_hierarchy
Replied by rbader on topic Response to a DDOS attack
Just a quick update to say that I've removed the rule blocking anything with "Linux" in the user agent string because because it will block legitimate bots (from what I understand).
I'm not sure if I have misinterpreted the sudden traffic spike showing up in Statcounter as a DOS (or DDOS). I'd be much happier if it turned out that it wasn't an intentional targeting of the website.
I'm not sure if I have misinterpreted the sudden traffic spike showing up in Statcounter as a DOS (or DDOS). I'd be much happier if it turned out that it wasn't an intentional targeting of the website.
Ruth
www.ruthsfamilyhistory.net/genealogy
webtrees 2.1.20
custom-css, fancy-imagebar, jc-research-links, jc-fancy-treeview, jc-simple-menu, jc-theme-justlight, repository_hierarchy
Last edit: 3 months 1 week ago by rbader. Reason: Fixed typo
Please Log in or Create an account to join the conversation.
- fisharebest
- Offline
- Administrator
3 months 1 week ago #5
by fisharebest
Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net
Replied by fisharebest on topic Response to a DDOS attack
Just as a general reminder, if you are using Cloudflare (or any similer service), then you need to add some config to webtrees so that it can correctly identify the IP addresses of your visitors. Otherwise, you will only see cloudflare's IP addresses in your logs.
webtrees.net/install/cloudflare/
webtrees.net/install/cloudflare/
Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net
Please Log in or Create an account to join the conversation.
- rbader
- Topic Author
- Offline
- New Member
3 months 1 week ago #6
by rbader
Ruth
www.ruthsfamilyhistory.net/genealogy
webtrees 2.1.20
custom-css, fancy-imagebar, jc-research-links, jc-fancy-treeview, jc-simple-menu, jc-theme-justlight, repository_hierarchy
Replied by rbader on topic Response to a DDOS attack
Thank you, Greg, I hadn't realised this was the case. I'll add the information.
Ruth
www.ruthsfamilyhistory.net/genealogy
webtrees 2.1.20
custom-css, fancy-imagebar, jc-research-links, jc-fancy-treeview, jc-simple-menu, jc-theme-justlight, repository_hierarchy
Please Log in or Create an account to join the conversation.