Hi Experts,
We were hit with a nasty DOS attack last night - what are you guys
doing to block this? Is this something the Anti-Sammy plug-in is
supposed to block?
Thanks guys - Rob
Hi,
if are using Windows server please read the following issue.
http://msdn.microsoft.com/en-us/library/aa302363.aspx
Mahmut.
2012/6/26 Rob Daniels <r.daniels@gmail.com>
Thanks guys - i have blocked that hacker’s IP in the firewall, but it’s easy to spoof and show a different IP. The attack produced thousands of errors in our coldfusion logs. I believe the hacker looked at the source for our addToCart form and wrote a bot to hit it thousands of times with variable garbage info.
I don’t want to block legitimate bots like googlebot - but it would be nice if there was a plug-in that looked for a pattern - like 100 database errors from the same IP within 2 minutes - and blocked that IP from accessing the site for a period of time. I can build something - but thought i’d post here first to see if you guys had used something in the past you liked
Have you thought about using something like FuseGuard to protect the app from attackes like these? I have used it in the past with great success to stop these attacks.
Thanks,
I was thinking Foundeo’s Web Application Firewall (http://foundeo.com/security/) had a filter to limit the number of hits your site got from a single IP, but I don’t see it on the description page right now.
It probably wouldn’t be too hard to write some code that counts how many times an IP address hits your application and if the count exceeds a threshold, start aborting.
Use this as a starting point:
http://www.carehart.org/blog/client/index.cfm/2010/5/21/throttling_by_ip_address
Thanks!
~Brad
FuseGuard has a “repeat offender” thing that will block an ip address after multiple infractions.
Thanks guys - i’ll check it out
If you like a coldbox dev approach try the following interceptor i wrote to prevent from overload the system. it sort of greylists ip’s fro a moment you define. check configure method.
of course the mentioned hardware and firewall approach is better performing, but if you wan’t to prevent users from trying things out it helps sometimes. remove the logging to improve speed.
component name = “LogoutInterceptor”
hint = “this interceptor blocks all requests above a certain threshold”
extends = “coldbox.system.interceptor”
autowire = “true”
singleton {
property name = “log” inject=“logbox:logger:{this}” ;
public void function configure() {
this.threshold = 1000; // number of requests
this.timing = 10; // not more than nn requests per “nn” seconds allowed
this.block = 60 // requests from this ip are blocked for “nn” seconds
}
public boolean function preEvent(event) {
var rc = event.getCollection();
if (!structKeyExists(application, cgi.remote_addr)) {
application[cgi.remote_addr] = {
requests = 1,
timer = getTickCount(),
blocked = false
}
}
else {
log.info(serialize(application[cgi.remote_addr]));
application[cgi.remote_addr].requests ++;
}
if (getTickCount()-application[cgi.remote_addr].timer gt this.block1000 and application[cgi.remote_addr].blocked) {
log.debug(‘blocking released for #cgi.remote_addr#’);
structDelete(application, cgi.remote_addr, false);
}
else if (getTickCount()-application[cgi.remote_addr].timer gt this.timing1000 and application[cgi.remote_addr].requests gt this.threshold) {
application[cgi.remote_addr].blocked = true;
log.info(‘limit #this.threshold# reached within #this.timing# and ip #cgi.remote_addr# blocked for #this.block#’);
abort;
}
return false;
}
}
Markus. That is awesome can you add it to forgebox?