Iptables – Parse Apache logfile and ban IPs

ddosiptablesloggingparsingweb

My server is under attack, it is flooded with request with the following pattern:

Thousands of IPs
Each IP request the same page "GET / HTTP/1.1" with the same referrer 3-5 times per second (same timestamp).

So what I would need is a small shell script which takes the input from "tail -f /var/www/log/access.log" and parses the same for repeated requests with the same timestamp (say 2 request for the same page with same referrer and same time) and adds a iptable rule to drop all packets from this IP.

Best Answer

Have a look at Fail2Ban and at this Howto for an example of filters for Apache log files.

Here's an example that should accomplish what you ask. Please see the manual and adjust to your needs:

/etc/fail2ban/filters.d/apache-attackers.conf

[Definition]
failregex = <HOST> - - [[^]]+] "GET / HTTP/1.1" 200 .* "REFERER"

/etc/fail2ban/local.jail

[DEFAULT]
ignoreip = 127.0.0.1 <an IP you access the system from>

[apache-attackers]
enabled = true
port    = http,https
filter  = apache-attackers
bantime = 86400
logpath = /var/log/httpd/*access_log
maxretry = 5

Enable fail2ban at startup (RHEL/CentOS) and launch it:

chkconfig fail2ban on
service fail2ban start

Note: Tested on RHEL/CentOS, your mileage may vary.

Related Solutions

Iptables, NAT: avoiding limit on max number of requests per IP by using multiple IPs

For tight control, I'd try something along the lines of:

iptables -t nat -A POSTROUTING -s INT_SRC -d EXT_SERVICE --syn --limit MAXREQ/day -j SNAT --to-source EXT_IP1
...

(then I find that's what you already tried :p)

How about using:

iptables -t nat -A POSTROUTING -s INT_SRC -d EXT_SERVICE --syn -j SNAT --to-source EXT_IP_RANGE

Apparently that variant uses a simple round-robin algorithm - I'd try that. I hope your external IPs are in a single range :)

Can't just let further requests fail on their own? Given that you have very specific requirements, I'd probably:

add a --log to the rule
write a daemon that keeps track of the number of service connections made that day and inserts a rule into the FORWARD that drops further connections to that service
have the daemon remove that rule (if present) at midnight and reset its connection count

There doesn't seem to be anything that already exists to handle exactly what you want to do.

Ubuntu – Iptables block layer 7 DDoS attacks

Because HTTP is TCP and TCP requires bi-directional communication, the source addresses of the attacks are actually the attack sources.

Since the sources are known and not spoofed, you can rate-limit in iptables to greatly reduce the request volume per source.

If there are too many sources to get the load manageable that way, you will need to find something about the requests to be able to classify them as droppable, then have your web server drop them. Ideas:

Requests all for the same specific resource?
Irregular headers (are they not requesting compression? sending HTTP/1.0? sending no cookies when normal users would)
Same or predictable user agent?

Best Answer

Related Solutions

Iptables, NAT: avoiding limit on max number of requests per IP by using multiple IPs

Ubuntu – Iptables block layer 7 DDoS attacks

Related Topic