B4J Question HTTP Flooding Server Request

aaronk

Well-Known Member
Licensed User
Hi,

I have my B4J app running on a VPS.

In my B4J app I am running a HTTP Server.

I noticed in the HTTP log, that someone is flooding my server with invalid web requests.

148.70.68.20 - - [02/Jun/2019:17:22:50 +0000] "GET /d7.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:22:50 +0000] "GET /rxr.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:22:54 +0000] "GET /1x.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:22:54 +0000] "GET /home.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:22:55 +0000] "GET /undx.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:22:58 +0000] "GET /spider.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:22:58 +0000] "GET /payload.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:22:59 +0000] "GET /composers.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:23:02 +0000] "GET /izom.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:23:02 +0000] "GET /composer.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:23:03 +0000] "GET /hue2.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:23:06 +0000] "GET /Drupal.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:23:06 +0000] "GET /lang.php?f=1 HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:23:07 +0000] "GET /izom.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:23:10 +0000] "GET /payload.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:23:10 +0000] "GET /new_license.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:23:11 +0000] "GET /images/!.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:23:14 +0000] "GET /images/vuln.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
The above log is just some events.

Just wondering would the DoSFilter help stop people flooding my B4J app with these invalid requests ?
https://www.b4x.com/android/forum/threads/dosfilter-request-timeout.70426/#content
 

Erel

Administrator
Staff member
Licensed User
Worth adding the DoSFilter though this is not a denial of service attack. The request rate is quite low.

Someone is trying to find a vulnerable PHP script on your server (will not happen as this is not a PHP server).
 

aaronk

Well-Known Member
Licensed User
Is there a way in blocking the user if they submit an xx of invalid requests ?

For example if they submit 10-15 invalid requests in a 10 second period, then block them from accessing the HTTP server for 10 minutes ?
 

Erel

Administrator
Staff member
Licensed User
Start with blocking the ip address in the server firewall.
 

aaronk

Well-Known Member
Licensed User
Worth adding the DoSFilter though this is not a denial of service attack.
Would adding something like the following code block the users request, if they submit multiple requests within 5 seconds ?
B4X:
srvr.AddDoSFilter("/*", CreateMap("maxRequestMs": 5000))
What happens if I am using a web socket & UDP messages, will this also trigger this feature or does it only work HTTP requests ?

Just trying to understand what the above does.

I will need to look into that. Looks interesting. You ever used anything like this before ?


Start with blocking the ip address in the server firewall.
I will need to look into that.
My VPS hosting company provides a external firewall and they use the OpenStack Compute API. So will need to work out how they use the API to add/delete rules using the API. Don't know if I can add firewall rules using the API and the API is mainly used for adding new VPS nodes to my account.
 

alwaysbusy

Expert
Licensed User
You ever used anything like this before
No, but I will investigate it too when I find the time. Just to have some knowledge on how stuff works as we have an external contractor who does these things for us in my day job.
 

Alexander Stolte

Well-Known Member
Licensed User
I will need to look into that. Looks interesting. You ever used anything like this before ?
I use Fail2Ban on my Server successfully, the IPs are banned.

I have made a checklist to setting up a VPS for my own, one section is security and this is what i use for Fail2Ban (But only for SSH):
B4X:
apt-get install fail2ban

nano /etc/fail2ban/jail.local

[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/fail2ban.log
findtime  = 60000
bantime = 36000000
maxretry = 3

service ssh restart
After 5 Minutes I already had a lot of banned IP addresses who tried to connect to SSH.

Just my 50ct :)
 
Top