My web servers are behind ELB, I want to block traffic from some specific user agent which is a DDOS attack. Apache always see ip address of ELB as an end user so I tried below attempts:
- Blocking IP address at ELB level is not possible because it has limit of 20 IP addresses and IP addresses change at every attack.
Block access using rewrite condition, this works but if lot of hits come then server load goes beyond 100 and all apache threads become busy in serving tons of 403 so site appears down for legitimate requests.
RewriteCond %{HTTP_USER_AGENT} ^SomeThing
RewriteRule ^(.*)$ - [F]Block with mod_sec does same thing of serving 403 which create same effect as #2 above.
Block packets with iptables string module: Block packets which have specific user agent. In this scenario iptables sends DROP/ REJECT to attacker, apache doesn't get signal that the connections is now dead and waits for a timeout which cause all apache threads in use for timeout, so this method is not useful here.
iptables -I INPUT -i eth0 -p tcp --dport 80 -m string --algo bm --string 'user-agent: SomeThing' -j REJECT
Can I use iptables such way that it will get IP address from first packet which has user-agent: SomeThing and block all the next packets which has X-Forwarded-For: someIP for 4-5 hours. I don't want to keep the IP address blocking always as these IP Addresses can be assigned to some legitimate users and that will be blocked.
Or is there any other better way to handle this attack ?
No comments:
Post a Comment