Is this an attack or a normal request?

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Is this an attack or a normal request?

Anderson dos Santos Donda
Hello everyone,

I’m new in the webserver world, and I have a very basic knowledge about Nginx, so I want apologize in advance if I'm making a stupid question.

I have a very basic webserver hosting a WordPress webpage and in the past 3 days I have receiving thousands of below request:

5.122.236.249 - - [24/Aug/2020:12:30:41 +0200] "\x1E\x80\xEBol\xDF\x86z\x84\xA4A^\xAF;\xA1\x98\x1B\x0E\xB7\x88\xD3h\x8FyW\xE4\x0F=.\x15\xF7f:9\xF7\xC3\xBB\xB1}n\xA5\x88\x8B\xE7\xF4\x5C\x80\x98=\xE2X\xC8\xD4\x1Bv/\xDC3yAI\xEE\xE6\xFA\xB1\xF3\x90]\x9EG\xFD\x9B\xAB\x9B:\xA7q\x82*\xE1:\x1A
5.122.236.249 - - [24/Aug/2020:12:30:41 +0200] "P\xCE \x9C\xA9\xB6pS\xD6#1\x84\x22\xB0s\xB8\xAA\x09\x06Ex\xDD\x88\x11\xFC\x0E\xDB\x04\x18~*\xE7h\xD2H\xD422\x83,\xB3u\xDF|\xED\x8BP\x9Box\xA4\x042\xFBz\xAAh\xF9\x14^\x96\xDD\x1D\xF6\xDD*\xF4" 400 173 "-" "-”

This comes from a hundred of different IPs and in many requests at same time.

Is this kind of DDOS attack or a legitimate request(which my server returns 400 for them)?

If is an attack, has a specific name that I can search and try to understand it better and mitigate it?

Thank so much for the help.

Best Regards,
Donda


--
Att.
Anderson Donda

Mar calmo não cria bom marinheiro, muito menos bom capitão."


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Is this an attack or a normal request?

J.R.
> Is this kind of DDOS attack or a legitimate request(which my server returns
> 400 for them)?

That's typically how various unicode characters are hex encoded. If
you aren't expecting that kind of input, then yes it is likely an
attack (probably trying to exploit an unknown specific piece of
software). Welcome to the internet where everything connected is
bombarded 24/7 from everything else with random attacks.

That's why it's important to keep your server (and wordpress) up to date.
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Is this an attack or a normal request?

lists@lazygranch.com
I can't find it, but someone wrote a script to decode that style of hacking. For the hacks I was decoding, they were RDP hack attempts. The hackers just "spray" their attacks. Often they are not meaningful to your server.

I have Nginx maps set up to match requests that are not relevant to my server. For instance I don't run WordPress, so anything WordPress related gets a 444 response. On a weekly basis I pull all the IP addresses that generated a 400 or 444 and run them through a IP lookup website. If they come back to a hosting company, VPS, or basically anything not an ISP, I block the associated IP space via my firewall. The only reason I can do this weekly is I have blocked so much IP space already that I don't get many hackers.

At a minimum I suggest blocking all Amazon AWS. No eyeballs there, just hackers. Also block all of OVH. You can block any of the hosting companies since there are no eyeballs there. This blocks many VPNs as well but nobody says you have to accept traffic from VPNs.

Firewalls are very CPU efficient though they do use a lot of memory. In the long run blocking all those hackers improves system efficiency since nginx does have to parse all that nonsense.

I have scripts to pull the hacker IP out of the log file but a have a nonstandard log format. If you can create a file of IPs, this site will return the domains:

https://www.bulkseotools.com/bulk-ip-to-location.php

If you see a domain that is obviously not an ISP, you can find their entire IP space using bgp.he.net

This sounds more complicate than it is. I have it down to about 20 minutes a week.

You can also block countries in the firewall. Some people block all of China. I don't but that does cut down on hackers.



  Original Message  


From: [hidden email]
Sent: August 24, 2020 11:06 AM
To: [hidden email]
Reply-to: [hidden email]
Subject: Re: Is this an attack or a normal request?


> Is this kind of DDOS attack or a legitimate request(which my server returns
> 400 for them)?

That's typically how various unicode characters are hex encoded. If
you aren't expecting that kind of input, then yes it is likely an
attack (probably trying to exploit an unknown specific piece of
software). Welcome to the internet where everything connected is
bombarded 24/7 from everything else with random attacks.

That's why it's important to keep your server (and wordpress) up to date.
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Is this an attack or a normal request?

Peter Booth
I agree with the advice already given

It can also be useful to track the User-Agent header of web requests - both to understand who is trying to do what to your website,
and then to start blocking on the basis of user agent.
There may be some bots and spiders that are helpful or even necessary for your business.

Peter



> On Aug 24, 2020, at 2:54 PM, lists <[hidden email]> wrote:
>
> I can't find it, but someone wrote a script to decode that style of hacking. For the hacks I was decoding, they were RDP hack attempts. The hackers just "spray" their attacks. Often they are not meaningful to your server.
>
> I have Nginx maps set up to match requests that are not relevant to my server. For instance I don't run WordPress, so anything WordPress related gets a 444 response. On a weekly basis I pull all the IP addresses that generated a 400 or 444 and run them through a IP lookup website. If they come back to a hosting company, VPS, or basically anything not an ISP, I block the associated IP space via my firewall. The only reason I can do this weekly is I have blocked so much IP space already that I don't get many hackers.
>
> At a minimum I suggest blocking all Amazon AWS. No eyeballs there, just hackers. Also block all of OVH. You can block any of the hosting companies since there are no eyeballs there. This blocks many VPNs as well but nobody says you have to accept traffic from VPNs.
>
> Firewalls are very CPU efficient though they do use a lot of memory. In the long run blocking all those hackers improves system efficiency since nginx does have to parse all that nonsense.
>
> I have scripts to pull the hacker IP out of the log file but a have a nonstandard log format. If you can create a file of IPs, this site will return the domains:
>
> https://www.bulkseotools.com/bulk-ip-to-location.php
>
> If you see a domain that is obviously not an ISP, you can find their entire IP space using bgp.he.net
>
> This sounds more complicate than it is. I have it down to about 20 minutes a week.
>
> You can also block countries in the firewall. Some people block all of China. I don't but that does cut down on hackers.
>
>
>
>   Original Message  
>
>
> From: [hidden email]
> Sent: August 24, 2020 11:06 AM
> To: [hidden email]
> Reply-to: [hidden email]
> Subject: Re: Is this an attack or a normal request?
>
>
>> Is this kind of DDOS attack or a legitimate request(which my server returns
>> 400 for them)?
>
> That's typically how various unicode characters are hex encoded. If
> you aren't expecting that kind of input, then yes it is likely an
> attack (probably trying to exploit an unknown specific piece of
> software). Welcome to the internet where everything connected is
> bombarded 24/7 from everything else with random attacks.
>
> That's why it's important to keep your server (and wordpress) up to date.
> _______________________________________________
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx
> _______________________________________________
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Is this an attack or a normal request?

Jonesy
In reply to this post by lists@lazygranch.com
On Mon, 24 Aug 2020 11:54:35 -0700, lists wrote:

<-snip->

> At a minimum I suggest blocking all Amazon AWS. No eyeballs there,
> just hackers. Also block all of OVH.

Great suggestions.  Also, block all of Digital Sewer ... err Digital Ocean.

Once you catch a bad actor IP, and if you want to block the entire network,
drop the ASN from a `whois` of the bad actor IP into

  https://enjen.net/asn-blocklist/index.php


May the mask be with you,
Jonesy
--
  Marvin L Jones    | Marvin      | W3DHJ.net  | linux
   38.238N 104.547W |  @ jonz.net | Jonesy     |  FreeBSD
    * Killfiling google & XXXXbanter.com: jonz.net/ng.htm

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Is this an attack or a normal request?

lists@lazygranch.com
My VPS is on digital Ocean. Oh and I block them too. And Linode. I am an equal opportunity blocker.

Google is a little tricky to find the IP space. Remember you don't want to block Google search. In fact you should create an account with Google to help them find your website. The suggested method is to get the IP space from their SPF.

https://support.symphony.com/hc/en-us/articles/360029563832-Obtaining-GCP-IP-ranges-to-enable-proxy-and-firewall-configuration

AWS has a json scheme to document their space.
https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html

I don't  block complete ASNs. Sometimes there are corporate accounts there. They have eyeballs. bgp.he.net will get just the entity that is doing the hacking.

Bulletproof hoster:
https://www.hetzner.com/



  Original Message  


From: [hidden email]
Sent: August 24, 2020 6:55 PM
To: [hidden email]
Reply-to: [hidden email]
Subject: Re: Is this an attack or a normal request?


On Mon, 24 Aug 2020 11:54:35 -0700, lists wrote:

<-snip->

> At a minimum I suggest blocking all Amazon AWS. No eyeballs there,
> just hackers. Also block all of OVH.

Great suggestions.  Also, block all of Digital Sewer ... err Digital Ocean.

Once you catch a bad actor IP, and if you want to block the entire network,
drop the ASN from a `whois` of the bad actor IP into

https://enjen.net/asn-blocklist/index.php


May the mask be with you,
Jonesy
--
  Marvin L Jones    | Marvin      | W3DHJ.net  | linux
   38.238N 104.547W |  @ jonz.net | Jonesy     |  FreeBSD
    * Killfiling google & XXXXbanter.com: jonz.net/ng.htm

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Is this an attack or a normal request?

Anderson dos Santos Donda
In reply to this post by Peter Booth
Thank you very much. Everyone!

I will try to implement all the insithgts given.

With desperate times come desperate measures, and I implemented a fail2ban that block any IP that doesn't have any GET or POST in the request.

It is not efficient, I know. My firewall list is growing abruptly but, at least, it buys me some time to improve the all counter-measure that you guys meantionated.

BR,
Donda

On Mon, Aug 24, 2020 at 9:18 PM Peter Booth <[hidden email]> wrote:
I agree with the advice already given

It can also be useful to track the User-Agent header of web requests - both to understand who is trying to do what to your website,
and then to start blocking on the basis of user agent.
There may be some bots and spiders that are helpful or even necessary for your business.

Peter



> On Aug 24, 2020, at 2:54 PM, lists <[hidden email]> wrote:
>
> I can't find it, but someone wrote a script to decode that style of hacking. For the hacks I was decoding, they were RDP hack attempts. The hackers just "spray" their attacks. Often they are not meaningful to your server.
>
> I have Nginx maps set up to match requests that are not relevant to my server. For instance I don't run WordPress, so anything WordPress related gets a 444 response. On a weekly basis I pull all the IP addresses that generated a 400 or 444 and run them through a IP lookup website. If they come back to a hosting company, VPS, or basically anything not an ISP, I block the associated IP space via my firewall. The only reason I can do this weekly is I have blocked so much IP space already that I don't get many hackers.
>
> At a minimum I suggest blocking all Amazon AWS. No eyeballs there, just hackers. Also block all of OVH. You can block any of the hosting companies since there are no eyeballs there. This blocks many VPNs as well but nobody says you have to accept traffic from VPNs.
>
> Firewalls are very CPU efficient though they do use a lot of memory. In the long run blocking all those hackers improves system efficiency since nginx does have to parse all that nonsense.
>
> I have scripts to pull the hacker IP out of the log file but a have a nonstandard log format. If you can create a file of IPs, this site will return the domains:
>
> https://www.bulkseotools.com/bulk-ip-to-location.php
>
> If you see a domain that is obviously not an ISP, you can find their entire IP space using bgp.he.net
>
> This sounds more complicate than it is. I have it down to about 20 minutes a week.
>
> You can also block countries in the firewall. Some people block all of China. I don't but that does cut down on hackers.
>
>
>
>   Original Message 
>
>
> From: [hidden email]
> Sent: August 24, 2020 11:06 AM
> To: [hidden email]
> Reply-to: [hidden email]
> Subject: Re: Is this an attack or a normal request?
>
>
>> Is this kind of DDOS attack or a legitimate request(which my server returns
>> 400 for them)?
>
> That's typically how various unicode characters are hex encoded. If
> you aren't expecting that kind of input, then yes it is likely an
> attack (probably trying to exploit an unknown specific piece of
> software). Welcome to the internet where everything connected is
> bombarded 24/7 from everything else with random attacks.
>
> That's why it's important to keep your server (and wordpress) up to date.
> _______________________________________________
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx
> _______________________________________________
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


--
Att.
Anderson Donda

Mar calmo não cria bom marinheiro, muito menos bom capitão."

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Is this an attack or a normal request?

lists@lazygranch.com
You don't need fail2ban to limit html verbs.  I only allow "get" and "head" on mine. 

Inside the Nginx server block:

if ($request_method !~ ^(GET|HEAD) $)  {
return 444;

GET and HEAD is all you need for a read only site. 

I have a map set up for bad user agents. There is a search engine called Majestic that will download your website on a daily basis. It does not obey robots.txt.


https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/blob/master/_generator_lists/bad-user-agents.list

Since Nginx will be using regular expressions, some of these are redundant. If you look for majestic then you don't need to look for 
majestic12. 

You really should study maps since that is the most efficient means to implement these pattern searches. 

Sent: August 24, 2020 10:53 PM
Reply-to: [hidden email]
Subject: Re: Is this an attack or a normal request?

Thank you very much. Everyone!

I will try to implement all the insithgts given.

With desperate times come desperate measures, and I implemented a fail2ban that block any IP that doesn't have any GET or POST in the request.

It is not efficient, I know. My firewall list is growing abruptly but, at least, it buys me some time to improve the all counter-measure that you guys meantionated.

BR,
Donda

On Mon, Aug 24, 2020 at 9:18 PM Peter Booth <[hidden email]> wrote:
I agree with the advice already given

It can also be useful to track the User-Agent header of web requests - both to understand who is trying to do what to your website,
and then to start blocking on the basis of user agent.
There may be some bots and spiders that are helpful or even necessary for your business.

Peter



> On Aug 24, 2020, at 2:54 PM, lists <[hidden email]> wrote:
>
> I can't find it, but someone wrote a script to decode that style of hacking. For the hacks I was decoding, they were RDP hack attempts. The hackers just "spray" their attacks. Often they are not meaningful to your server.
>
> I have Nginx maps set up to match requests that are not relevant to my server. For instance I don't run WordPress, so anything WordPress related gets a 444 response. On a weekly basis I pull all the IP addresses that generated a 400 or 444 and run them through a IP lookup website. If they come back to a hosting company, VPS, or basically anything not an ISP, I block the associated IP space via my firewall. The only reason I can do this weekly is I have blocked so much IP space already that I don't get many hackers.
>
> At a minimum I suggest blocking all Amazon AWS. No eyeballs there, just hackers. Also block all of OVH. You can block any of the hosting companies since there are no eyeballs there. This blocks many VPNs as well but nobody says you have to accept traffic from VPNs.
>
> Firewalls are very CPU efficient though they do use a lot of memory. In the long run blocking all those hackers improves system efficiency since nginx does have to parse all that nonsense.
>
> I have scripts to pull the hacker IP out of the log file but a have a nonstandard log format. If you can create a file of IPs, this site will return the domains:
>
> https://www.bulkseotools.com/bulk-ip-to-location.php
>
> If you see a domain that is obviously not an ISP, you can find their entire IP space using bgp.he.net
>
> This sounds more complicate than it is. I have it down to about 20 minutes a week.
>
> You can also block countries in the firewall. Some people block all of China. I don't but that does cut down on hackers.
>
>
>
>   Original Message 
>
>
> From: [hidden email]
> Sent: August 24, 2020 11:06 AM
> To: [hidden email]
> Reply-to: [hidden email]
> Subject: Re: Is this an attack or a normal request?
>
>
>> Is this kind of DDOS attack or a legitimate request(which my server returns
>> 400 for them)?
>
> That's typically how various unicode characters are hex encoded. If
> you aren't expecting that kind of input, then yes it is likely an
> attack (probably trying to exploit an unknown specific piece of
> software). Welcome to the internet where everything connected is
> bombarded 24/7 from everything else with random attacks.
>
> That's why it's important to keep your server (and wordpress) up to date.
> _______________________________________________
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx
> _______________________________________________
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


--
Att.
Anderson Donda

Mar calmo não cria bom marinheiro, muito menos bom capitão."

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Is this an attack or a normal request?

Jeff Dyke
In reply to this post by Anderson dos Santos Donda
I've seen the rest of this thread, and there are many good ideas, fail2ban is great, i actually use it with wazuh.  The best security measure i ever made with wordpress is changing the name of the /admin/login.php and disabling or at least access listing the api.   If no one needs api access, shut it off.  With fail2ban with wazuh, perhaps fail2band handles this on its own, you can set up volume rules which will create FW rules.  Also, i like to put in a snippit into nginx config for to many responses.

  limit_req_zone $limit_key zone=req_limit:10m rate=10r/s;
  limit_req_log_level warn;
  # don't use 503 as we have specific logic for that status
  limit_req_status 420;

As the comment says we handle 503's and other status codes differently, so i adopted Twitters Ease You Calm status code.  Change the limits to your environment.

On Mon, Aug 24, 2020 at 7:23 AM Anderson dos Santos Donda <[hidden email]> wrote:
Hello everyone,

I’m new in the webserver world, and I have a very basic knowledge about Nginx, so I want apologize in advance if I'm making a stupid question.

I have a very basic webserver hosting a WordPress webpage and in the past 3 days I have receiving thousands of below request:

5.122.236.249 - - [24/Aug/2020:12:30:41 +0200] "\x1E\x80\xEBol\xDF\x86z\x84\xA4A^\xAF;\xA1\x98\x1B\x0E\xB7\x88\xD3h\x8FyW\xE4\x0F=.\x15\xF7f:9\xF7\xC3\xBB\xB1}n\xA5\x88\x8B\xE7\xF4\x5C\x80\x98=\xE2X\xC8\xD4\x1Bv/\xDC3yAI\xEE\xE6\xFA\xB1\xF3\x90]\x9EG\xFD\x9B\xAB\x9B:\xA7q\x82*\xE1:\x1A
5.122.236.249 - - [24/Aug/2020:12:30:41 +0200] "P\xCE \x9C\xA9\xB6pS\xD6#1\x84\x22\xB0s\xB8\xAA\x09\x06Ex\xDD\x88\x11\xFC\x0E\xDB\x04\x18~*\xE7h\xD2H\xD422\x83,\xB3u\xDF|\xED\x8BP\x9Box\xA4\x042\xFBz\xAAh\xF9\x14^\x96\xDD\x1D\xF6\xDD*\xF4" 400 173 "-" "-”

This comes from a hundred of different IPs and in many requests at same time.

Is this kind of DDOS attack or a legitimate request(which my server returns 400 for them)?

If is an attack, has a specific name that I can search and try to understand it better and mitigate it?

Thank so much for the help.

Best Regards,
Donda


--
Att.
Anderson Donda

Mar calmo não cria bom marinheiro, muito menos bom capitão."

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx