Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

I wouldn't be so paranoid if you weren't all out to get me!!


rocksolid / Rocksolid Nodes / Re: ddos defense for novabbs.com

SubjectAuthor
* ddos defense for novabbs.comRetro Guy
`* Re: ddos defense for novabbs.comanonymous
 `* Re: ddos defense for novabbs.comRetro Guy
  `- Re: ddos defense for novabbs.comanonymous

1
Subject: ddos defense for novabbs.com
From: Retro Guy
Newsgroups: rocksolid.nodes
Organization: Rocksolid Light
Date: Fri, 20 Dec 2019 08:05 UTC
Path: i2pn2.org!.POSTED!not-for-mail
From: Retro ...@rslight.i2p (Retro Guy)
Newsgroups: rocksolid.nodes
Subject: ddos defense for novabbs.com
Date: Fri, 20 Dec 2019 08:05:15 -0000 (UTC)
Organization: Rocksolid Light
Message-ID: <733615c1436ceffa04cd2d7eb3ec2546$1@news.novabbs.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 20 Dec 2019 08:05:15 -0000 (UTC)
Injection-Info: i2pn2-novalink.localdomain; posting-account="retrobbs1";
logging-data="7939"; mail-complaints-to="usenet@i2pn2-novalink.localdomain"
User-Agent: Rocksolid Light (news.novabbs.com/getrslight)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on novabbs.com
X-Rslight-Site: $2y$10$P640w.nv3Z4UFx0UNXCqkeSb/wGmaeEyeaYYe1TAJKHZDs7R8hC1S
View all headers
While I have in place defense for i2p and tor, I did not for clearnet. The site has been brought down almost daily for a while now, so I finally did something about it.

I'm seeing blacklisting in the logs now, quite a bit, and the site is running much faster. This applies to news.novabbs.com(rslight) and www.novabbs.com(fudforum).

We'll see how it goes.

Retro Guy
--
Posted on Rocksolid Light


Subject: Re: ddos defense for novabbs.com
From: anonymous
Newsgroups: rocksolid.nodes
Organization: def2
Date: Thu, 21 May 2020 19:22 UTC
References: 1
Path: i2pn2.org!.POSTED!not-for-mail
From: anonym...@anon.com (anonymous)
Newsgroups: rocksolid.nodes
Subject: Re: ddos defense for novabbs.com
Date: Thu, 21 May 2020 19:22 UTC
Organization: def2
Message-ID: <f0ba1870346ce5f36eb9365850311bf7$1@z5bqfv5v75kxy7pj.onion>
References: <733615c1436ceffa04cd2d7eb3ec2546$1@news.novabbs.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: i2pn2.org; posting-account="def2";
logging-data="2245"; mail-complaints-to="usenet@i2pn2.org"
User-Agent: Rocksolid Light (news.novabbs.com/getrslight)
X-Rslight-Site: $2y$10$.BAG2EEJ64iqLhPnvviB6uzDFV4gIVsYLozkkpEV/XHcXngTb5Na6
View all headers
care to describe what you did exactly ? and on which level of the stack ?
--
Posted on def2
z5bqfv5v75kxy7pj.onion


Subject: Re: ddos defense for novabbs.com
From: Retro Guy
Newsgroups: rocksolid.nodes
Organization: Rocksolid Light
Date: Fri, 22 May 2020 08:32 UTC
References: 1 2
Path: i2pn2.org!.POSTED!not-for-mail
From: Retro ...@rslight.i2p (Retro Guy)
Newsgroups: rocksolid.nodes
Subject: Re: ddos defense for novabbs.com
Date: Fri, 22 May 2020 08:32 UTC
Organization: Rocksolid Light
Message-ID: <715287e8bd4cc83e628a4e69ce6bd304$1@news.novabbs.com>
References: <733615c1436ceffa04cd2d7eb3ec2546$1@news.novabbs.com> <f0ba1870346ce5f36eb9365850311bf7$1@z5bqfv5v75kxy7pj.onion>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: i2pn2.org; posting-account="retrobbs1";
logging-data="27533"; mail-complaints-to="usenet@i2pn2.org"
User-Agent: Rocksolid Light (news.novabbs.com/getrslight)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on novabbs.com
X-Rslight-Site: $2y$10$H6E6SroRIBJvkWYqTb4oAOUiMDwMZyGltl9WGs0Bc4VF.LqoUvZGe
View all headers
anonymous wrote:

care to describe what you did exactly ? and on which level of the stack ?

Most of what I was seeing was more than just rudely configured spiders (which tend to go through a site at a high rate of speed). I was seeing the same pages being requested very fast, over and over again from the same ip addresses. Since the addresses would be the same for a while, then completely new addresses, just blocking them would not work.

For tor this doesn't work, but for i2p (on the same machine) and clearnet, I've had great results with the nginx Limit Req Module http://nginx.org/en/docs/http/ngx_http_limit_req_module.html

From the site:
The ngx_http_limit_req_module module (0.7.21) is used to limit the request processing rate per a defined key, in particular, the processing rate of requests coming from a single IP address. If the requests rate exceeds the rate configured for a zone, their processing is delayed such that requests are processed at a defined rate. Excessive requests are delayed until their number exceeds the maximum burst size in which case the request is terminated with an error.
-------------

This does not protect against many types of attacks, but for just trying to shut the site down by overloading it, it's working very well. I've tied in the ip address logs to fail2ban to temporarily ban the offending ip addresses. Since setting this up, I have not needed to restart php-fpm or nginx a single time.

Retro Guy

--
Posted on: Rocksolid Light
news.novabbs.com


Subject: Re: ddos defense for novabbs.com
From: anonymous
Newsgroups: rocksolid.nodes
Organization: def2
Date: Fri, 22 May 2020 10:50 UTC
References: 1 2 3
Path: i2pn2.org!.POSTED!not-for-mail
From: anonym...@anon.com (anonymous)
Newsgroups: rocksolid.nodes
Subject: Re: ddos defense for novabbs.com
Date: Fri, 22 May 2020 10:50 UTC
Organization: def2
Message-ID: <e4cfbed07f97837a031302573d5ebefc$1@z5bqfv5v75kxy7pj.onion>
References: <733615c1436ceffa04cd2d7eb3ec2546$1@news.novabbs.com> <f0ba1870346ce5f36eb9365850311bf7$1@z5bqfv5v75kxy7pj.onion> <715287e8bd4cc83e628a4e69ce6bd304$1@news.novabbs.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: i2pn2.org; posting-account="def2";
logging-data="12907"; mail-complaints-to="usenet@i2pn2.org"
User-Agent: Rocksolid Light (news.novabbs.com/getrslight)
X-Rslight-Site: $2y$10$zx.f1uzPEoCs2tIBM9mDWeBchFL0Lx0CQoQdQRAGyjQOUq13IFvfW
View all headers
The ngx_http_limit_req_module module (0.7.21) is used to limit the request processing rate per a defined key, in particular, the processing rate of requests coming from a single IP address. If the requests rate exceeds the rate configured for a zone, their processing is delayed such that requests are processed at a defined rate. Excessive requests are delayed until their number exceeds the maximum burst size in which case the request is terminated with an error.

he, that is almost exactly the same as i did for boxs, only in this case the functionality is in the script itself, not on the level of the webserver (and of course it is not ip based, because that would be useless on tor, but only goes by the total number of requests).
always a good sign if two parties come up with the same solution independently.
:-)

cheers

trw
--
Posted on def2
z5bqfv5v75kxy7pj.onion


1
rocksolid light 0.7.2
clearneti2ptor