B4J Question HTTP Flooding Server Request

aaronk

Well-Known Member
Licensed User
Hi,

I have my B4J app running on a VPS.

In my B4J app I am running a HTTP Server.

I noticed in the HTTP log, that someone is flooding my server with invalid web requests.

148.70.68.20 - - [02/Jun/2019:17:22:50 +0000] "GET /d7.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:22:50 +0000] "GET /rxr.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:22:54 +0000] "GET /1x.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:22:54 +0000] "GET /home.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:22:55 +0000] "GET /undx.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:22:58 +0000] "GET /spider.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:22:58 +0000] "GET /payload.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:22:59 +0000] "GET /composers.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:23:02 +0000] "GET /izom.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:23:02 +0000] "GET /composer.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:23:03 +0000] "GET /hue2.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:23:06 +0000] "GET /Drupal.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:23:06 +0000] "GET /lang.php?f=1 HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:23:07 +0000] "GET /izom.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:23:10 +0000] "GET /payload.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:23:10 +0000] "GET /new_license.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:23:11 +0000] "GET /images/!.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:23:14 +0000] "GET /images/vuln.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
The above log is just some events.

Just wondering would the DoSFilter help stop people flooding my B4J app with these invalid requests ?
https://www.b4x.com/android/forum/threads/dosfilter-request-timeout.70426/#content
 

aaronk

Well-Known Member
Licensed User
Is there a way in blocking the user if they submit an xx of invalid requests ?

For example if they submit 10-15 invalid requests in a 10 second period, then block them from accessing the HTTP server for 10 minutes ?
 

aaronk

Well-Known Member
Licensed User
Worth adding the DoSFilter though this is not a denial of service attack.
Would adding something like the following code block the users request, if they submit multiple requests within 5 seconds ?
B4X:
srvr.AddDoSFilter("/*", CreateMap("maxRequestMs": 5000))
What happens if I am using a web socket & UDP messages, will this also trigger this feature or does it only work HTTP requests ?

Just trying to understand what the above does.

I will need to look into that. Looks interesting. You ever used anything like this before ?


Start with blocking the ip address in the server firewall.
I will need to look into that.
My VPS hosting company provides a external firewall and they use the OpenStack Compute API. So will need to work out how they use the API to add/delete rules using the API. Don't know if I can add firewall rules using the API and the API is mainly used for adding new VPS nodes to my account.
 

Alexander Stolte

Expert
Licensed User
I will need to look into that. Looks interesting. You ever used anything like this before ?
I use Fail2Ban on my Server successfully, the IPs are banned.

I have made a checklist to setting up a VPS for my own, one section is security and this is what i use for Fail2Ban (But only for SSH):
B4X:
apt-get install fail2ban

nano /etc/fail2ban/jail.local

[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/fail2ban.log
findtime  = 60000
bantime = 36000000
maxretry = 3

service ssh restart
After 5 Minutes I already had a lot of banned IP addresses who tried to connect to SSH.

Just my 50ct :)
 
Top