I've discovered strange connections to my web server from 10 different IP addresses with same subnet 46.229.168.0/23.
This subnet belongs to a hosting provider and hardly represent real users.
After that, I've blocked them through iptables.
I'm trying to understand if I'm being DDOS attacked?
I ran:
iptables -L -v -n
and got the following output:
Chain INPUT (policy ACCEPT 2141K packets, 1607M bytes)
pkts bytes target prot opt in out source destination
158K 9369K DROP tcp -- * * 46.229.168.0/23 0.0.0.0/0 tcp dpt:80
9369K – packages were dropped for 24 hours.
Is it enough to say that it's a DDOS attack?
Best Answer
It's too small to be DDoS by bandwidth, but that doesn't in itself mean it's not trying to exploit something in your web server, either for application-layer DoS such as the Range header vulnerability, or for spam.
You don't say what is 'strange' about the connections. Hard-to-explain moderate volume traffic can mean you are being co-opted into a reflection attack and the DRDoS victim is elsewhere, usually indicated by the spoofed IP address (layer 3 DRDoS) or URL (layer 7). For example if you see lots of half-open
SYN_RECVconnections, then ensure tcp_syncookies is turned on. A layer 7 DRDoS is something likexmlrpc.phpcalls in WordPress.However, what you do give is the IP range, and that is related to an aggressive bot called SEMrushBot as you may be able to see from User-Agent in the logs. It seems to be a kind of tertiary service that is of no value to you or your visitors, so may be worth blocking in
robots.txtas it suggests.or just firewall the suspicious ranges.