Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

DDoS Attack, Bots, and Banning IP’s
 
mustangFWL
Jr. Member
 
Total Posts:  9
Joined:  2009-06-12
 

Ok, so 2 weeks ago, my site was taken offline by a DDoS attack, we had to go in and repair the visitor_log to get it back up.  Since then I have been checking the Online users daily, and have been checking IP’s.  There seems to be a lot foreign Ip’s that are coming from china, japan, Norway, and a few others, we are a LOCAL business in the US and we are not that well known to be searched for in other countries. 

Other IPs that have been on my site are bots, Google bots, yahoo bots, and msn bots.  Are these good or bad? If bad, what do I need to do to get rid of them?

Is their a way I can ban IP’s from magento? or do I need to find a 3rd party source to do this? 

Any way to pull an IP log?

The performance of my site has gone down a ton since the attack, and I believe it is still under attack causing the performance to go down, I need help to get rid of this attack and to get my site back to the speed it was at and all of these IP’s gone?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Crucial Web Host
Guru
 
Avatar
Total Posts:  364
Joined:  2007-11-08
Phoenix, AZ
 
mustangFWL - 22 June 2011 09:17 AM

Ok, so 2 weeks ago, my site was taken offline by a DDoS attack, we had to go in and repair the visitor_log to get it back up.  Since then I have been checking the Online users daily, and have been checking IP’s.  There seems to be a lot foreign Ip’s that are coming from china, japan, Norway, and a few others, we are a LOCAL business in the US and we are not that well known to be searched for in other countries. 

It’s difficult to say but depending on the quantity of these ‘visits’ it’s possible that it is a low level DDoS, but it is more likely that these are just foreign IP’s scanning IP space looking for vulnerabilities that they can exploit - blocking them is futile and blocking them all is impossible. 

Other IPs that have been on my site are bots, Google bots, yahoo bots, and msn bots.  Are these good or bad? If bad, what do I need to do to get rid of them?

These are good - this means that the search engines are indexing your site and pages for their search engine.  You do not want to block any search engine bots.

Is their a way I can ban IP’s from magento? or do I need to find a 3rd party source to do this? 

There’s no built in way to do this directly through Magento - however you could block them by adding the appropriate blocking entries to your .htaccess file in your root directory.  Though, this really should be done via your firewall for best effect.  You’re filewall should be watching for and automatically blocking IP’s that are port scanning your system and you should be able to add IP’s to block fairly simply through your firewall software.

Any way to pull an IP log?

You would get these from your web servers log file such as the Apache access_log.  You would need to parse it for the IP’s but, Im not real sure how far this would get you.

As for performance, I would recommend that you take a look at Magento’s whitepaper regarding improving performance;

http://www.magentocommerce.com/blog/comments/performance-is-key-notes-on-magentos-performance/

Also - make certain that you are regularly maintaining your application; truncating log_* tables from your database (these grow VERY large and can have a dramatic performance increase by keeping them small and regularly truncating them).  This can be automated by using a maintenance script and periodically running it from cron as needed.

The performance of my site has gone down a ton since the attack, and I believe it is still under attack causing the performance to go down, I need help to get rid of this attack and to get my site back to the speed it was at and all of these IP’s gone?

Again, a firewall like CSF would be helpful in blocking these types of attacks, likewise the LiteSpeed web server has built-in Anti-DDoS features as well.

Best of luck!

 
Magento Community Magento Community
Magento Community
Magento Community
 
mustangFWL
Jr. Member
 
Total Posts:  9
Joined:  2009-06-12
 
Crucial Web Host - 22 June 2011 09:42 AM

mustangFWL - 22 June 2011 09:17 AM
Ok, so 2 weeks ago, my site was taken offline by a DDoS attack, we had to go in and repair the visitor_log to get it back up.  Since then I have been checking the Online users daily, and have been checking IP’s.  There seems to be a lot foreign Ip’s that are coming from china, japan, Norway, and a few others, we are a LOCAL business in the US and we are not that well known to be searched for in other countries. 

It’s difficult to say but depending on the quantity of these ‘visits’ it’s possible that it is a low level DDoS, but it is more likely that these are just foreign IP’s scanning IP space looking for vulnerabilities that they can exploit - blocking them is futile and blocking them all is impossible. 

Other IPs that have been on my site are bots, Google bots, yahoo bots, and msn bots.  Are these good or bad? If bad, what do I need to do to get rid of them?

These are good - this means that the search engines are indexing your site and pages for their search engine.  You do not want to block any search engine bots.

Is their a way I can ban IP’s from magento? or do I need to find a 3rd party source to do this? 

There’s no built in way to do this directly through Magento - however you could block them by adding the appropriate blocking entries to your .htaccess file in your root directory.  Though, this really should be done via your firewall for best effect.  You’re filewall should be watching for and automatically blocking IP’s that are port scanning your system and you should be able to add IP’s to block fairly simply through your firewall software.

Any way to pull an IP log?

You would get these from your web servers log file such as the Apache access_log.  You would need to parse it for the IP’s but, Im not real sure how far this would get you.

As for performance, I would recommend that you take a look at Magento’s whitepaper regarding improving performance;

http://www.magentocommerce.com/blog/comments/performance-is-key-notes-on-magentos-performance/

Also - make certain that you are regularly maintaining your application; truncating log_* tables from your database (these grow VERY large and can have a dramatic performance increase by keeping them small and regularly truncating them).  This can be automated by using a maintenance script and periodically running it from cron as needed.

The performance of my site has gone down a ton since the attack, and I believe it is still under attack causing the performance to go down, I need help to get rid of this attack and to get my site back to the speed it was at and all of these IP’s gone?

Again, a firewall like CSF would be helpful in blocking these types of attacks, likewise the LiteSpeed web server has built-in Anti-DDoS features as well.

Best of luck!

Thanks, I will give all of this a try… Could the robots be part of the performance issue?
 
Magento Community Magento Community
Magento Community
Magento Community
 
Crucial Web Host
Guru
 
Avatar
Total Posts:  364
Joined:  2007-11-08
Phoenix, AZ
 

Could the robots be part of the performance issue?

Well, they could be - but if just search engine bots are causing your site to slow down you will definitely want to consider improving the performance of the application - there’s lots of suggestions from configurations to web servers to upgrading hardware.  Ultimately, you need the bots coming to your site to be found in search engines so I would make sure the site was at the very least able to handle a few bots indexing the site.

 
Magento Community Magento Community
Magento Community
Magento Community
 
redstage
Sr. Member
 
Avatar
Total Posts:  173
Joined:  2009-12-04
Hoboken, NJ
 

Here’s a simple extension we created to block IP addresses: http://store.redstage.com/ip-blacklist.html

 
Magento Community Magento Community
Magento Community
Magento Community
 
EZAPPS
Member
 
Avatar
Total Posts:  57
Joined:  2012-03-01
Vancouver Island
 

Banning IPs rarely works with DDoS attacks. Most major attacks consist of spoofed ips. They send packets and your response never actually gets routed back to the source. Your program keeps executing for no reason, and no one gets the page that is generated.

So the most-simple answer to this (tested with extremely high load), is to simply identify the attacked pages and in “index.php”, issue a redirect (then exit the program!)

$redirect = array('/attackedurl1''/attackedurl2');

if (
in_array($_SERVER["REQUEST_URI"]$redirect)) {

header
("location: {$_SERVER['REQUEST_URI']}?allow=true");  //Fix if you need to append GET VARIABLES
exit();

}

The new REQUEST_URL will have “allow=true” attached to it and the valid browsers that follow the redirect get through. PHP exits with a minimal memory overhead. You can actually do this in NGINX as well, prior to the proxy pass.

Eventually the party responsible for the attack will adjust, but you have to as well. Alternatively, you can write a url logger that you parse in index.php to find the most requested URLs and block suspicious activity.

 
Magento Community Magento Community
Magento Community
Magento Community
 
thebod
Moderator
 
Avatar
Total Posts:  81
Joined:  2010-08-11
 

Hi,

sorry, but I have to correct you.
Usually DDOS attacks works with botnets which contains a large amount of zombies controlled by one (or more) command-and-control server(s).
They don’t spoof IP addresses just because the most zombies are normal Windows PCs and as of Win XP Microsoft removed the ability to send raw packets (which are necessary for spoofed IP packets) with the standard network driver.

It is for sure possible to write a driver and emulate a virtual network card to send spoofed IP packets, but this is a lot of work and very technical so for the most attackers it’s easier to use a big botnet with thousands of hacked zombie-computers instead of writing rootkit-like kernelmode drivers to send spoofed IP packets.

Just my 2 cents wink

The best way to fight DDOS is to install a hardware firewall which is able to detect attacks based on huge amounts of the same traffic (like always accessing http://example.com/index.php).

 
Magento Community Magento Community
Magento Community
Magento Community
 
EZAPPS
Member
 
Avatar
Total Posts:  57
Joined:  2012-03-01
Vancouver Island
 
thebod - 18 March 2012 03:22 PM

The best way to fight DDOS is to install a hardware firewall which is able to detect attacks based on huge amounts of the same traffic (like always accessing http://example.com/index.php).

smile

I think we’ve just had completely different experiences. I’ve been behind top of the line hardware that couldn’t do a thing because it had no discernible method of differentiating good traffic from bad (couldn’t do it by IPs at least with 40K unique offenders an hour). Which do you normally use, if you don’t mind me asking? I’d love to have some other alternatives

My last go at it was a worst case scenario (other than the fact that only 10 URIs were being hit). After the utter failure of hardware to manage it, and as a method of last resort, I simply did what I mentioned above and only good traffic followed the 302s.

I’ve had data centers and authorities even claim past attacks were completely spoofed.

There are probably all sorts of different flavors of attacks, so if it seems like you are getting either, respond accordingly. The more options, the better.

In any case, IP blocking at the PHP level probably isn’t going to be effective for an attack of any magnitude.

 
Magento Community Magento Community
Magento Community
Magento Community
 
spaunie
Jr. Member
 
Total Posts:  16
Joined:  2011-04-22
 
EZAPPS - 15 March 2012 05:23 PM

Banning IPs rarely works with DDoS attacks. Most major attacks consist of spoofed ips. They send packets and your response never actually gets routed back to the source. Your program keeps executing for no reason, and no one gets the page that is generated.

So the most-simple answer to this (tested with extremely high load), is to simply identify the attacked pages and in “index.php”, issue a redirect (then exit the program!)

$redirect = array('/attackedurl1''/attackedurl2');

if (
in_array($_SERVER["REQUEST_URI"]$redirect)) {

header
("location: {$_SERVER['REQUEST_URI']}?allow=true");  //Fix if you need to append GET VARIABLES
exit();

}

The new REQUEST_URL will have “allow=true” attached to it and the valid browsers that follow the redirect get through. PHP exits with a minimal memory overhead. You can actually do this in NGINX as well, prior to the proxy pass.

Eventually the party responsible for the attack will adjust, but you have to as well. Alternatively, you can write a url logger that you parse in index.php to find the most requested URLs and block suspicious activity.

I would like to try your fix for a DDos attack.  If all the requests are attacking my base url “xyzxyz.com” would I just replace your ‘/attackedurl1’, ‘/attackedurl2’ section with my base url and then place the entire code anywhere in index.php?  Or should it be ‘baseurl.com/index.php’.  Is http:// required in front of the base url?

Thanks for any help you can provide!

 
Magento Community Magento Community
Magento Community
Magento Community
 
serpyre
Enthusiast
 
Avatar
Total Posts:  771
Joined:  2013-05-20
 

The attacks are becoming more sophisticated so a simple redirect normally does not work, it is the cost of business on the web. You have CloudFlare and others but there are pretty reluctant to touch already attacked sites, we work with another company who have DDOS, Brute Force, Syn Flood and other types of mitigation however if your site is small they would not be suitable. Try the redirects but in reality once you are listed it is a tough road.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top