DDOS – jak se bránit?

17. 7. 2015 22:20:23

Zdravím,

mám problém s útokem na jednu podstránku ve wordpresu, již jsem přemýšlel, že ji smažu, ale nevím přesně její učel, tak se snažím najít nové řešení.

Zde pro upřesnění přikládám výpis z acces logu:

2281	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1827	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1748	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2670	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1948	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1780	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2683	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2877	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2925	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2366	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"5905	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2534	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2471	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2752	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2846	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"3076	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2101	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2926	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2699	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2331	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2460	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2583	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2843	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1827	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1807	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1788	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2482	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1951	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1976	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2969	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2258	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2311	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2575	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2722	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2740	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2485	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2693	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2643	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2210	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2624	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2656	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2927	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2410	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2809	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"3018	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2636	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2284	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2135	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2619	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2101	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2592	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1887	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1825	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2596	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2500	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1902	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2449	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2332	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1865	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1908	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1806	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2180	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1812	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1766	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1773	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1815	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1695	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1743	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1738	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1714	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2864	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2338	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1907	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2693	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1855	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1774	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1776	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1777	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2018	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2133	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2897	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1883	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1866	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1858	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"3087	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2711	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2519	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2367	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1830	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2138	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1898	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2586	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1942	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2810	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1852	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2643	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2059	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2705	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1770	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1827	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1867	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1829	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1781	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1746	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2018	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1744	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2428	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2466	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2254	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2191	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1903	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1708	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1763	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1834	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1918	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1831	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1855	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1770	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1873	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1748	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1980	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2296	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1768	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2430	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2201	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1956	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2676	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2046	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2305	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1868	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2802	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1790	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2426	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2050	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1900	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1914	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1874	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1925	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2327	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1795	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1825	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2095	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2268	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"3032	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2647	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2235	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2614	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2850	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1891	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2512	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1763	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"3078	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1795	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2591	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1998	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2926	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1698	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2293	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1772	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1781	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1829	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2503	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2589	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2534	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2042	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2567	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1757	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1793	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1751	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2052	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1843	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2297	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2066	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1920	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1806	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1895	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1808	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1671	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1783	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2376	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1764	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1844	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1766	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2050	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1745	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1820	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1784	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"2365	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1725	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1854	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1766	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1703	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1807	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1699	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1899	141.101.105.10		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"1827	141.101.105.232		199	503	web.cz	"POST /xmlrpc.php HTTP/1.1"

Samozřejmě se nabízí možnost zakázat ip, ale to je jen dočasné řešení (cca 24h) a to i když zakážu celý rozsah 141.101.105

Již jsem se přesunul na cloudflare, ale bohužel to pomohlo jen na týden, nyní to odfiltruje pouze pokud zapnu mód Under attack mode, ale to nemůže být zapnuto nonstop.

Zaplatit premium u cloudflare se mi nevyplatí.

Napadá někoho nějaké řešení?

17. 7. 2015 22:20:23

https://webtrh.cz/diskuse/ddos-jak-se-branit/#reply1127542

Martin Symerský

(2 hodnocení)

17. 7. 2015 22:56:52

Proč nepostačuje zabít ten rozsah? Z kolika adres útočí?

uprav si zdrojáky webu a loguj si někam $SERVER, $GET, $POST.

Až budeš mít data napiš.

17. 7. 2015 22:56:52

https://webtrh.cz/diskuse/ddos-jak-se-branit/#reply1127541

Filip Šedivý

(25 hodnocení)

17. 7. 2015 23:00:20

Odfiltrovat DDoS na aplikační vrstvě, je takřka nemožné jelikož v případě SYN flood nemůžete příchozí spojení odmítnout, to se řeší přímo na serveru.

Také záleží na typu DDoS, ono je jich mnoho. Můžete zkusit IP rozsahy přesměrovat jinam, zda-li to pomůže na úrovni .htaccess, ale není to DDoS ochrana.

Účinnými zařízeními jsou hardwarové boxy které se vkládají buď mezi server a firewall nebo před firewall. Nejznámější českou společností je Radware, který se zabývá těmito útoky. Jelikož je nutné mít dobré HW akcelerační karty, tak jsem četl (příspěvek z roku 2013) že takový box který ochrání před 10Gbps vyjde na 3 miliony korun. Nyní asi ta částka bude jinde, stejně tak jako technologie, ale pod 100 tisíc se jistě nedostaneš.

17. 7. 2015 23:00:20

https://webtrh.cz/diskuse/ddos-jak-se-branit/#reply1127540

Lucas03

(15 hodnocení)

17. 7. 2015 23:01:09

Co takto googlovat to? "xmlrpc.php ddos". Malo by sa to starat o pingback.Ak to nepotrebujes, zablokujes to v htaccess alebo pridanim filtra v zdrojovom kode. Nemaz ten subor, je na viac veci zevraj. Prejdi si par stranok na ten dotaz v gooli a budes mudrejsi.

17. 7. 2015 23:01:09

https://webtrh.cz/diskuse/ddos-jak-se-branit/#reply1127539

Roman Ernst

(24 hodnocení)

17. 7. 2015 23:48:27

Googlovaní jsem samozřejmě zkoušel, ale právě nic konkrétního jsem bohužel nenašel. Jak jsem psal, rozsah jsem samozřejmě zablokoval, ale zítra to bude nový rozsah a takhle to je porad dokola..

17. 7. 2015 23:48:27

https://webtrh.cz/diskuse/ddos-jak-se-branit/#reply1127538

Filip Šedivý

(25 hodnocení)

17. 7. 2015 23:59:35

RErnste, pod diskuze na WordPressu, doporučují blokovat soubor. Ty si zablokoval rozsah.

Do rootu, tedy tam kde ti začínají soubory WordPressu, vlož do vytvořeného souboru .htaccess, nejlépe na začátek tento příznak,

který tvrdí, že pokud je přístup z venku na soubor xmlrpc.php, ať zablokuje veškeré požadavky.

Osobně troufám říci, že se jedná o lepší variantu než blokovat pouze rozsahy. To by vám jen bobtnalo, a web by se zpomaloval.

17. 7. 2015 23:59:35

https://webtrh.cz/diskuse/ddos-jak-se-branit/#reply1127537

petrx