When a DDoS attack occurs through changing the IP pattern as follows:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | 15.177.18.21 - - [25/Aug/2024:17:23:36 +0000] "GET / HTTP/1.1" 301 - 15.177.6.152 - - [25/Aug/2024:17:23:36 +0000] "GET / HTTP/1.1" 301 - 15.177.22.36 - - [25/Aug/2024:17:23:36 +0000] "GET / HTTP/1.1" 301 - 15.177.10.173 - - [25/Aug/2024:17:23:36 +0000] "GET / HTTP/1.1" 301 - 15.177.54.102 - - [25/Aug/2024:17:23:37 +0000] "GET / HTTP/1.1" 301 - 15.177.62.236 - - [25/Aug/2024:17:23:39 +0000] "GET / HTTP/1.1" 301 - 43.129.185.154 - - [25/Aug/2024:17:23:39 +0000] "POST /xmlrpc.php HTTP/1.1" 200 271 15.177.14.109 - - [25/Aug/2024:17:23:41 +0000] "GET / HTTP/1.1" 301 - 15.177.38.78 - - [25/Aug/2024:17:23:42 +0000] "GET / HTTP/1.1" 301 - 103.254.194.94 - - [25/Aug/2024:17:23:50 +0000] "POST /xmlrpc.php HTTP/1.1" 200 271 15.177.26.152 - - [25/Aug/2024:17:23:51 +0000] "GET / HTTP/1.1" 301 - 15.177.30.201 - - [25/Aug/2024:17:23:51 +0000] "GET / HTTP/1.1" 301 - 15.177.34.74 - - [25/Aug/2024:17:23:52 +0000] "GET / HTTP/1.1" 301 - 15.177.58.20 - - [25/Aug/2024:17:23:55 +0000] "GET / HTTP/1.1" 301 - 15.177.50.211 - - [25/Aug/2024:17:23:57 +0000] "GET / HTTP/1.1" 301 - 13.67.78.117 - - [25/Aug/2024:17:23:57 +0000] "POST /xmlrpc.php HTTP/1.1" 200 271 15.177.42.60 - - [25/Aug/2024:17:23:58 +0000] "GET / HTTP/1.1" 301 - 15.177.46.195 - - [25/Aug/2024:17:23:59 +0000] "GET / HTTP/1.1" 301 - 15.177.2.58 - - [25/Aug/2024:17:24:02 +0000] "GET / HTTP/1.1" 301 - 170.64.132.32 - - [25/Aug/2024:17:24:06 +0000] "POST /xmlrpc.php HTTP/1.1" 200 271 15.177.18.21 - - [25/Aug/2024:17:24:06 +0000] "GET / HTTP/1.1" 301 - 15.177.22.36 - - [25/Aug/2024:17:24:06 +0000] "GET / HTTP/1.1" 301 - 15.177.6.152 - - [25/Aug/2024:17:24:06 +0000] "GET / HTTP/1.1" 301 - 15.177.10.173 - - [25/Aug/2024:17:24:07 +0000] "GET / HTTP/1.1" 301 - 15.177.54.102 - - [25/Aug/2024:17:24:07 +0000] "GET / HTTP/1.1" 301 - 15.177.62.236 - - [25/Aug/2024:17:24:09 +0000] "GET / HTTP/1.1" 301 - 15.177.14.109 - - [25/Aug/2024:17:24:11 +0000] "GET / HTTP/1.1" 301 - 15.177.38.78 - - [25/Aug/2024:17:24:12 +0000] "GET / HTTP/1.1" 301 - |
Blocks ‘15.177.0.0/16’ bandwidth/range access more than 15 times in 60 seconds.
1 2 3 | sudo iptables -A INPUT -s 15.177.0.0/16 -m recent --update --seconds 60 --hitcount 15 --name HTTP -j DROP // cf. iptables -A INPUT -p tcp --dport 80 -m recent --update --seconds 1 --hitcount 10 --name HTTP -j DROP // Blocks access to port 80 more than 10 times in 1 second. |
(Application 1) Blocks ‘15.177.0.0/16’ bandwidth/range access more than 3 times in 30 seconds.
1 | sudo iptables -A INPUT -s 15.177.0.0/16 -m recent --update --seconds 30 --hitcount 3 -j DROP |
(Application 2) Blocks ‘15.177.0.0/16’ filter ‘GET / HTTP/1.1’ string.
1 2 | sudo iptables -A INPUT -s 15.177.0.0/16 -m string --string 'GET / HTTP/1.1' --algo bm -j DROP // result: changed "GET / HTTP/1.1" 301 - to "-" 408 - |
(Application 3) Rule that blocks access to TCP 2 packets per minute after 10 packets are matched in one session. (effective)
1 2 3 4 | sudo iptables -A INPUT -s 15.177.0.0/16 -p tcp -m limit --limit 2/s -j DROP // cf. iptables -A INPUT -p tcp -m limit --limit 100/m --limit-burst 10 -j DROP // default '--limit-burst 5' when not specified // ad 'iptables -A INPUT -s 15.177.0.0/16 -p tcp -m limit --limit 4/s -j DROP' |