DDOS Attacks

[johu]

Starting yesterday we saw massive bulks of requests that overloaded our server. I blocked the most active subnets but it is near impossible to catch all.

I'm not sure who is behind this and what their intention is.

A frequently queried item is the memberlist which I now bluntly disabled. This takes some load off the database. I also pruned all users that never posted anything and were last active before 2025.

I will keep this topic updated.

[Proton]

That is weird. Hopefully they cannot VPN into another country and do it from there. Maybe some kids.

[johu]

Today it somewhat picked up again, this time from Brazil. I have removed the Vietnam ban and banned some hand-asorted subnets.
BTW you can see something is wrong when there are more than, say, 200 active users

[Proton]

If that server is at home you can install a PFsense firewall - Free software and then you can have lists added to known bad servers or IPs.

You just need a computer with 2 NIC cards

these are some of my lists.

Screenshot from 2025-05-15 11-16-48.png

you can also have VPN tunnels from you phones or PC to send all traffic back home through your firewall. All phones in my family send all traffic back home tunneled . that way you can connect to any wifi hotspts and nobody can see your traffic.

Screenshot from 2025-05-15 11-26-40.png

I installed the pFsense software on something like this:

https://www.aliexpress.us/item/32568068 ... 00237956_2

Screenshot from 2025-05-15 11-19-54.png

You just have to compare the processors to see what you need.

Screenshot from 2025-05-15 11-23-31.png

they all use about 6W but the n150 has more power.

[linda.ljungdahl]

Seems like most of the pictures getts http 500 errors on the openinverter wiki when you klick on them, is that related to this in any way?

image.png

/Linda

[linda.ljungdahl]

is there a way to download the openinverter wiki database to browse it offline with kiwix?

/Linda

[johu]

Seems like most of the pictures getts http 500 errors on the openinverter wiki when you klick on them, is that related to this in any way?

Thanks for pointing that out. That must be caused by one of the recent updates though. Am looking into it.

If that server is at home you can install a PFsense firewall - Free software and then you can have lists added to known bad servers or IPs.

The forum runs on a hired server somewhere in Germany, so can't play with the hardware. I assume the PFSense Firewall could be installed on it?

[johu]

I installed MediaWiki 1.43.1 now and disabled the newly installed SemanticBundle (viewtopic.php?p=82317#p82317). This was the last alteration 10 days ago and I'm afraid it may have broken things. The installation was very intrusive.

[Proton]

The forum runs on a hired server somewhere in Germany, so can't play with the hardware. I assume the PFSense Firewall could be installed on it?

I am sure Iit can Be installed on a VM but not sure whatbis involved.

[johu]

The requests are still going, now from China also. I will need to find a solution that automatically blocks an entire /16 subnet as soon as it detects too many requests from that same subnet. That is what I currently do manually.

[Proton]

The requests are still going, now from China also. I will need to find a solution that automatically blocks an entire /16 subnet as soon as it detects too many requests from that same subnet. That is what I currently do manually.

can you limit the max connection per second from an IP address on your web server? You would think that the webhosting provider would give you that optinon.

Pfsense has a way to do that but you would have to make the pFsense your default gateway. Pfsense would need to have your public IP and your
webserver to be behind Pfsense.


"
1. Configuring Firewall Rules for DDoS Mitigation

pfSense's firewall rules are your first line of defense against DDoS attacks. By setting up specific rules, you can filter out malicious traffic and protect your network.

Block Malicious IPs: Manually block known malicious IP addresses or use automated blocklists from sources like Emerging Threats. Navigate to Firewall > Aliases and add these IPs to a block list.
Restrict Traffic by Geographic Region: Use pfBlockerNG to block traffic from countries that are not relevant to your user base. This reduces the risk of attacks originating from certain regions.
- Limit Incoming Connections: Set up rules to limit the number of connections per second from a single IP address under Firewall > Rules > WAN. This helps mitigate floods from individual IPs.

2. Using pfBlockerNG for Enhanced Protection

pfBlockerNG is a powerful tool within pfSense that allows for advanced IP and domain blocking capabilities. It's essential for automated updates and enhanced DDoS protection.

Install pfBlockerNG: Go to System > Package Manager > Available Packages and install pfBlockerNG.
Enable GeoIP Blocking: Block traffic based on country using GeoIP filtering. This is especially useful for blocking traffic from regions where you don't expect legitimate users.
Automated Block Lists: Configure pfBlockerNG to download and apply multiple IP block lists. These lists can focus on known malicious IPs, botnets, and other harmful sources.

[johu]

Since removing the firewall rules the DDOS picked up again. Their nature is that no single IP causes a lot of requests but rather many 100 or 1000 IPs create one request per second or so. So it is hard to distinguish from legit activity.

Currently looking into things such as "JavaScript Computational Challenge" that requires the browser to execute some javascript to put more load onto the attackers side or even block it out that way if it doesn't attempt to solve the challenge.