My webserver is getting flooded with invalid requests

nginx iptables ddos

My webserver (nginx) keeps getting requests like this: 

23.244.104.206 - - [15/Jun/2014:21:21:47 -0400] "GET http://ib.adnxs.com/ttj?id=2947236&size=300x250&cb={CACHEBUSTER}&referrer={REFERRER_URL}&pubclick={INSERT_CLICK_TAG} HTTP/1.0" 200 612 "http://www.businessfull.net/?p=8167" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; de-de) AppleWebKit/534.15+ (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4"
216.244.65.21 - - [15/Jun/2014:21:21:47 -0400] "GET http://ib.adnxs.com/ttj?id=2583052&referrer=http%3A%2F%2Fwww.excitingflashgames.com%2Fgame%2Frun_chicken_run.html&cb=78488 HTTP/1.0" 200 612 "http://www.excitingflashgames.com/game/run_chicken_run.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.2 (KHTML, like Gecko) Ubuntu/11.04 Chromium/15.0.871.0 Chrome/15.0.871.0 Safari/535.2"

There are hunderds of these requests and they cause my http server to be a lot slower. Is there some way I can block this using iptables? The weird this is that they are trying to visit sites that I don't even host. I thought this would be usefull in banning them but I'm not sure how I would do that.


Solution 1:

This is an example of a well known proxy abuse exploit. Some versions of Apache (which have the proxy module installed) are often are left improperly configured or not secured, and allow anybody to route a request through your webserver, in effect, turning it into an unwitting and illicit proxy server (which could be used in an unpleasant attack).

Although tomtom recommends offloading your security to CloudFlare, the solution is fairly simple, and should be implemented as a part of any basic security audit (even for the most basic of websites).

Building on Vinícius Ferrão's answer; After you install Fail2Ban, you will need to setup a filter (on debian/ubuntu, create the file /etc/fail2ban/filter.d/nginx-proxy.conf).

In this file, enter this:

# Block IPs trying to use server as proxy.
#
# Matches e.g.
# 192.168.1.1 - - "GET http://www.something.com/
#
[Definition]
failregex = ^<HOST> -.*GET http.*
ignoreregex =

and then create this block inside the fail2ban configuration file (usually under /etc/fail2ban/jail.conf):

## block hosts trying to abuse our server as a forward proxy
[nginx-proxy]
enabled = true
port    = 80,443
filter = nginx-proxy
logpath = /path/to/websites/access.log.file
maxretry = 2
bantime  = 86400

(replacing logpath = with the path to the access log of your website)

This will use the default blocking mode to ban hosts trying to abuse your site as a forward proxy.

Afterwards, I would consider checking your nginx configuration, and use controls to prevent anybody from making these requests to your server (if not from a specific IP).

Hope this helps!

Solution 2:

This should not be the case, but if you're getting a lot of requests from the same source constantly and this is causing a Denial of Service (DoS) on your server you should consider using something like fail2ban to temporally ban abusive clients from your server.

Anyway it's a good idea to avoid bruteforce attacks for example, if you don't have some security appliance before your final destination (your server).

You can get more information about fail2ban on it's website: http://www.fail2ban.org and there are some configuration tips to use fail2ban with nginx over here: http://www.fail2ban.org/wiki/index.php/NginX

Related

How do I make an AWS RDS MySQL Read "replica" have a different schema?
How to set the auto scaling policy based upon memory
Appending a line to a file if it doesn't exist using Puppet
Active Directory management tools for medium sized forest (less than 1000 users) [closed]
How to test IPv6 and IPv4 web server? [closed]
How to use most of memory available on MySQL
Apache: mod-rewrite to look up missing images in another directory
wbadmin backup all local drives
How to configure failover for JBoss AS 5?
Puppet: variable overriding best practices
Automated Network Mapping
Hotmail wants me to modify my SPF record