Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

I don't remember it, but I have it written down.


rocksolid / Rocksolid Nodes / ddos defense for novabbs.com

SubjectAuthor
* ddos defense for novabbs.comRetro Guy
`* ddos defense for novabbs.comanonymous
 `* ddos defense for novabbs.comRetro Guy
  `- ddos defense for novabbs.comanonymous

1
ddos defense for novabbs.com

<733615c1436ceffa04cd2d7eb3ec2546$1@news.novabbs.com>

 copy mid   Newsgroups: rocksolid.nodes
Path: i2pn2.org!.POSTED!not-for-mail
From: Retro Guy@rslight.i2p (Retro Guy)
Newsgroups: rocksolid.nodes
Subject: ddos defense for novabbs.com
Date: Fri, 20 Dec 2019 08:05:15 -0000 (UTC)
Organization: Rocksolid Light
Message-ID: <733615c1436ceffa04cd2d7eb3ec2546$1@news.novabbs.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 20 Dec 2019 08:05:15 -0000 (UTC)
Injection-Info: i2pn2-novalink.localdomain; posting-account="retrobbs1";
logging-data="7939"; mail-complaints-to="usenet@i2pn2-novalink.localdomain"
User-Agent: Rocksolid Light (news.novabbs.com/getrslight)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on novabbs.com
X-Rslight-Site: $2y$10$P640w.nv3Z4UFx0UNXCqkeSb/wGmaeEyeaYYe1TAJKHZDs7R8hC1S
 by: Retro Guy - Fri, 20 Dec 2019 08:05 UTC

While I have in place defense for i2p and tor, I did not for clearnet. The site has been brought down almost daily for a while now, so I finally did something about it.

I'm seeing blacklisting in the logs now, quite a bit, and the site is running much faster. This applies to news.novabbs.com(rslight) and www.novabbs.com(fudforum).

We'll see how it goes.

Retro Guy
--
Posted on Rocksolid Light

Re: ddos defense for novabbs.com

<f0ba1870346ce5f36eb9365850311bf7$1@z5bqfv5v75kxy7pj.onion>

 copy mid   Newsgroups: rocksolid.nodes
Path: i2pn2.org!.POSTED!not-for-mail
From: anonymous@anon.com (anonymous)
Newsgroups: rocksolid.nodes
Subject: Re: ddos defense for novabbs.com
Date: Thu, 21 May 2020 19:22 UTC
Organization: def2
Message-ID: <f0ba1870346ce5f36eb9365850311bf7$1@z5bqfv5v75kxy7pj.onion>
References: <733615c1436ceffa04cd2d7eb3ec2546$1@news.novabbs.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: i2pn2.org; posting-account="def2";
logging-data="2245"; mail-complaints-to="usenet@i2pn2.org"
User-Agent: Rocksolid Light (news.novabbs.com/getrslight)
X-Rslight-Site: $2y$10$.BAG2EEJ64iqLhPnvviB6uzDFV4gIVsYLozkkpEV/XHcXngTb5Na6
 by: anonymous - Thu, 21 May 2020 19:22 UTC

care to describe what you did exactly ? and on which level of the stack ?
--
Posted on def2
z5bqfv5v75kxy7pj.onion

Re: ddos defense for novabbs.com

<715287e8bd4cc83e628a4e69ce6bd304$1@news.novabbs.com>

 copy mid   Newsgroups: rocksolid.nodes
Path: i2pn2.org!.POSTED!not-for-mail
From: Retro Guy@rslight.i2p (Retro Guy)
Newsgroups: rocksolid.nodes
Subject: Re: ddos defense for novabbs.com
Date: Fri, 22 May 2020 08:32 UTC
Organization: Rocksolid Light
Message-ID: <715287e8bd4cc83e628a4e69ce6bd304$1@news.novabbs.com>
References: <733615c1436ceffa04cd2d7eb3ec2546$1@news.novabbs.com> <f0ba1870346ce5f36eb9365850311bf7$1@z5bqfv5v75kxy7pj.onion>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: i2pn2.org; posting-account="retrobbs1";
logging-data="27533"; mail-complaints-to="usenet@i2pn2.org"
User-Agent: Rocksolid Light (news.novabbs.com/getrslight)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on novabbs.com
X-Rslight-Site: $2y$10$H6E6SroRIBJvkWYqTb4oAOUiMDwMZyGltl9WGs0Bc4VF.LqoUvZGe
 by: Retro Guy - Fri, 22 May 2020 08:32 UTC

anonymous wrote:

> care to describe what you did exactly ? and on which level of the stack ?

Most of what I was seeing was more than just rudely configured spiders (which tend to go through a site at a high rate of speed). I was seeing the same pages being requested very fast, over and over again from the same ip addresses. Since the addresses would be the same for a while, then completely new addresses, just blocking them would not work.

For tor this doesn't work, but for i2p (on the same machine) and clearnet, I've had great results with the nginx Limit Req Module http://nginx.org/en/docs/http/ngx_http_limit_req_module.html

From the site:
The ngx_http_limit_req_module module (0.7.21) is used to limit the request processing rate per a defined key, in particular, the processing rate of requests coming from a single IP address. If the requests rate exceeds the rate configured for a zone, their processing is delayed such that requests are processed at a defined rate. Excessive requests are delayed until their number exceeds the maximum burst size in which case the request is terminated with an error.
-------------

This does not protect against many types of attacks, but for just trying to shut the site down by overloading it, it's working very well. I've tied in the ip address logs to fail2ban to temporarily ban the offending ip addresses. Since setting this up, I have not needed to restart php-fpm or nginx a single time.

Retro Guy

--
Posted on: Rocksolid Light
news.novabbs.com

Re: ddos defense for novabbs.com

<e4cfbed07f97837a031302573d5ebefc$1@z5bqfv5v75kxy7pj.onion>

 copy mid   Newsgroups: rocksolid.nodes
Path: i2pn2.org!.POSTED!not-for-mail
From: anonymous@anon.com (anonymous)
Newsgroups: rocksolid.nodes
Subject: Re: ddos defense for novabbs.com
Date: Fri, 22 May 2020 10:50 UTC
Organization: def2
Message-ID: <e4cfbed07f97837a031302573d5ebefc$1@z5bqfv5v75kxy7pj.onion>
References: <733615c1436ceffa04cd2d7eb3ec2546$1@news.novabbs.com> <f0ba1870346ce5f36eb9365850311bf7$1@z5bqfv5v75kxy7pj.onion> <715287e8bd4cc83e628a4e69ce6bd304$1@news.novabbs.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: i2pn2.org; posting-account="def2";
logging-data="12907"; mail-complaints-to="usenet@i2pn2.org"
User-Agent: Rocksolid Light (news.novabbs.com/getrslight)
X-Rslight-Site: $2y$10$zx.f1uzPEoCs2tIBM9mDWeBchFL0Lx0CQoQdQRAGyjQOUq13IFvfW
 by: anonymous - Fri, 22 May 2020 10:50 UTC

>The ngx_http_limit_req_module module (0.7.21) is used to limit the request processing rate per a defined key, in particular, the processing rate of requests coming from a single IP address. If the requests rate exceeds the rate configured for a zone, their processing is delayed such that requests are processed at a defined rate. Excessive requests are delayed until their number exceeds the maximum burst size in which case the request is terminated with an error.

he, that is almost exactly the same as i did for boxs, only in this case the functionality is in the script itself, not on the level of the webserver (and of course it is not ip based, because that would be useless on tor, but only goes by the total number of requests).
always a good sign if two parties come up with the same solution independently.
:-)

cheers

trw
--
Posted on def2
z5bqfv5v75kxy7pj.onion

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor