My solution for an ongoing ddos attack

[freddan_6]

Hi
I am a joomla newbie but have a lot of experience in Linux. This way of avoiding DDOS (Distributed Denial of Service) attack works, but there are probably a smarter automatic way out there. If someone have one please share, to make us all survive DDOS.

So I got a spam attack yesterday. Someone used our forum to send email to Chinese accounts. Since the mail was in Chinese I am not certain, but google translate said it was online casino. Anyway I added captcha "The New Recaptcha" to my site (http://www.spinndiscfk.se). So the Chinese guys started accessing one of the pages in a ddos attack. I have been hosting the server in my house, but has moved it to EC2 (Amazon) due to I am personally moving and don't want the frisbee club's page down during my move.

So I have set up similar to the previous hosting with a virtual host in apache that directs to joomla if accessed by the name http://www.spinndiscfk.se or spinndiscfk.se. If not used those names the default page is shown where I have a statistics setup with awstat.pl (on a hidden link behind the ubuntu default page).

So today this morning i got no response from the server but the apache error log said
[Sat May 12 06:26:54.538725 2018] [fastcgi:error] [pid 19740] [client 203.189.235.163:56842] FastCGI: comm with server "/usr/lib/cgi-bin/php7-fcgi-www.spinndiscfk.se" aborted: idle timeout (30 sec), referer: (a contact formula). I got around 200 of these accesses each minute, enough to make the memory exhausted for the server.

So I checked the awstats.pl site for most accessing sites and just removed them from allowing access by hard coded <requreall> in apache site config. I hardcoded the top 52 domains. Each line I stopped class B net
so the line above would render "require not ip 203.189.235.163/16".
Something like this is added to each of the apache site config files: (And yes I know there are some duplicates but i am a lazy person)

<DirectoryMatch /var/www/vhost/www.spinndiscfk.se/*>
<RequireAll>
require all granted
require not ip 122.10.84.248/16
require not ip 96.45.82.85/16
require not ip 117.67.136.33/16
require not ip 103.240.183.179/16
require not ip 114.217.139.230/16
require not ip 103.42.180.120/16
require not ip 45.114.11.244/16
require not ip 103.240.182.231/16
require not ip 45.127.97.22/16

....
</RequireAll>

[freddan_6]

At lower stress I started to think myself. I am using iptables also (not removing the requireall tag in apache2).
this is more dynamic and I run it from cron every 5:th minute.
my script contains 4 lines. I check the 1000 last accesses to the web server. The word "robin" is something unique to the page the DDOS attack goes to. awk prints out the first "word" - which is the ip adress in my apache log. It adds the ip adress to something iptables should drop. it collects all matches in a file. It makes the file executable. I run the file.

#!/bin/bash
tail -1000 /var/log/apache2/access.log|grep robin|awk '{print "iptables -A INPUT -s " $1 " -j DROP"}'|sort -n|uniq > ip.ddos.list.sh
chmod a+x ip.ddos.list.sh
sudo ./ip.ddos.list.sh