DDOS - Entire Country of Vietnam banned

[johu]

Starting yesterday we saw massive bulks of requests that overloaded our server. I blocked two of the most active subnets and the requests stopped.

Today though I found the situation to be even worse. I searched some of the subnets and found they all originated from Vietnam.

So as a temporary measure I have blocked the entire Vietnam subnet list (there are many) in the firewall.

I'm not sure who is behind this and what their intention is. I'm sorry for every legit member or reader from Vietnam who are now blocked but I have to keep this up until the attacks stop.

I will keep this topic updated.

[Proton]

That is weird. Hopefully they cannot VPN into another country and do it from there. Maybe some kids.

[johu]

Today it somewhat picked up again, this time from Brazil. I have removed the Vietnam ban and banned some hand-asorted subnets.
BTW you can see something is wrong when there are more than, say, 200 active users

[Proton]

If that server is at home you can install a PFsense firewall - Free software and then you can have lists added to known bad servers or IPs.

You just need a computer with 2 NIC cards

these are some of my lists.

you can also have VPN tunnels from you phones or PC to send all traffic back home through your firewall. All phones in my family send all traffic back home tunneled . that way you can connect to any wifi hotspts and nobody can see your traffic.

I installed the pFsense software on something like this:

https://www.aliexpress.us/item/32568068 ... 00237956_2

You just have to compare the processors to see what you need.

they all use about 6W but the n150 has more power.

[linda.ljungdahl]

Seems like most of the pictures getts http 500 errors on the openinverter wiki when you klick on them, is that related to this in any way?

/Linda

[linda.ljungdahl]

is there a way to download the openinverter wiki database to browse it offline with kiwix?

/Linda

[johu]

Seems like most of the pictures getts http 500 errors on the openinverter wiki when you klick on them, is that related to this in any way?

Thanks for pointing that out. That must be caused by one of the recent updates though. Am looking into it.

If that server is at home you can install a PFsense firewall - Free software and then you can have lists added to known bad servers or IPs.

The forum runs on a hired server somewhere in Germany, so can't play with the hardware. I assume the PFSense Firewall could be installed on it?

[johu]

I installed MediaWiki 1.43.1 now and disabled the newly installed SemanticBundle (viewtopic.php?p=82317#p82317). This was the last alteration 10 days ago and I'm afraid it may have broken things. The installation was very intrusive.

[Proton]

The forum runs on a hired server somewhere in Germany, so can't play with the hardware. I assume the PFSense Firewall could be installed on it?

I am sure Iit can Be installed on a VM but not sure whatbis involved.

[johu]

The requests are still going, now from China also. I will need to find a solution that automatically blocks an entire /16 subnet as soon as it detects too many requests from that same subnet. That is what I currently do manually.

[Proton]

The requests are still going, now from China also. I will need to find a solution that automatically blocks an entire /16 subnet as soon as it detects too many requests from that same subnet. That is what I currently do manually.

can you limit the max connection per second from an IP address on your web server? You would think that the webhosting provider would give you that optinon.

Pfsense has a way to do that but you would have to make the pFsense your default gateway. Pfsense would need to have your public IP and your
webserver to be behind Pfsense.


"
1. Configuring Firewall Rules for DDoS Mitigation

pfSense's firewall rules are your first line of defense against DDoS attacks. By setting up specific rules, you can filter out malicious traffic and protect your network.

Block Malicious IPs: Manually block known malicious IP addresses or use automated blocklists from sources like Emerging Threats. Navigate to Firewall > Aliases and add these IPs to a block list.
Restrict Traffic by Geographic Region: Use pfBlockerNG to block traffic from countries that are not relevant to your user base. This reduces the risk of attacks originating from certain regions.
- Limit Incoming Connections: Set up rules to limit the number of connections per second from a single IP address under Firewall > Rules > WAN. This helps mitigate floods from individual IPs.

2. Using pfBlockerNG for Enhanced Protection

pfBlockerNG is a powerful tool within pfSense that allows for advanced IP and domain blocking capabilities. It's essential for automated updates and enhanced DDoS protection.

Install pfBlockerNG: Go to System > Package Manager > Available Packages and install pfBlockerNG.
Enable GeoIP Blocking: Block traffic based on country using GeoIP filtering. This is especially useful for blocking traffic from regions where you don't expect legitimate users.
Automated Block Lists: Configure pfBlockerNG to download and apply multiple IP block lists. These lists can focus on known malicious IPs, botnets, and other harmful sources.