B4J Question HTTP Flooding Server Request

[aaronk]

Hi,

I have my B4J app running on a VPS.

In my B4J app I am running a HTTP Server.

I noticed in the HTTP log, that someone is flooding my server with invalid web requests.

148.70.68.20 - - [02/Jun/2019:17:22:50 +0000] "GET /d7.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:22:50 +0000] "GET /rxr.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:22:54 +0000] "GET /1x.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:22:54 +0000] "GET /home.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:22:55 +0000] "GET /undx.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:22:58 +0000] "GET /spider.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:22:58 +0000] "GET /payload.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:22:59 +0000] "GET /composers.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:23:02 +0000] "GET /izom.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:23:02 +0000] "GET /composer.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:23:03 +0000] "GET /hue2.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:23:06 +0000] "GET /Drupal.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:23:06 +0000] "GET /lang.php?f=1 HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:23:07 +0000] "GET /izom.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:23:10 +0000] "GET /payload.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:23:10 +0000] "GET /new_license.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:23:11 +0000] "GET /images/!.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
148.70.68.20 - - [02/Jun/2019:17:23:14 +0000] "GET /images/vuln.php HTTP/1.1" 302 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"

The above log is just some events.

Just wondering would the DoSFilter help stop people flooding my B4J app with these invalid requests ?
https://www.b4x.com/android/forum/threads/dosfilter-request-timeout.70426/#content

 

[Erel]

Worth adding the DoSFilter though this is not a denial of service attack. The request rate is quite low.

Someone is trying to find a vulnerable PHP script on your server (will not happen as this is not a PHP server).

 

[aaronk]

Is there a way in blocking the user if they submit an xx of invalid requests ?

For example if they submit 10-15 invalid requests in a 10 second period, then block them from accessing the HTTP server for 10 minutes ?

 

[alwaysbusy]

fail2ban looks like a tool that may be useful:

https://security.stackexchange.com/questions/35773/how-can-i-block-an-ip-if-im-getting-many-http-requests-in-a-second

 

[Erel]

Start with blocking the ip address in the server firewall.

 

[aaronk]

Worth adding the DoSFilter though this is not a denial of service attack.

Would adding something like the following code block the users request, if they submit multiple requests within 5 seconds ?

srvr.AddDoSFilter("/*", CreateMap("maxRequestMs": 5000))

What happens if I am using a web socket & UDP messages, will this also trigger this feature or does it only work HTTP requests ?

Just trying to understand what the above does.

fail2ban looks like a tool that may be useful:
https://security.stackexchange.com/...-if-im-getting-many-http-requests-in-a-second

I will need to look into that. Looks interesting. You ever used anything like this before ?

Start with blocking the ip address in the server firewall.

I will need to look into that.
My VPS hosting company provides a external firewall and they use the OpenStack Compute API. So will need to work out how they use the API to add/delete rules using the API. Don't know if I can add firewall rules using the API and the API is mainly used for adding new VPS nodes to my account.

 

[alwaysbusy]

You ever used anything like this before

No, but I will investigate it too when I find the time. Just to have some knowledge on how stuff works as we have an external contractor who does these things for us in my day job.

 

[Alexander Stolte]

I will need to look into that. Looks interesting. You ever used anything like this before ?

I use Fail2Ban on my Server successfully, the IPs are banned.

I have made a checklist to setting up a VPS for my own, one section is security and this is what i use for Fail2Ban (But only for SSH):

apt-get install fail2ban

nano /etc/fail2ban/jail.local

[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/fail2ban.log
findtime  = 60000
bantime = 36000000
maxretry = 3

service ssh restart

After 5 Minutes I already had a lot of banned IP addresses who tried to connect to SSH.

Just my 50ct

 

[Erel]

Would adding something like the following code block the users request, if they submit multiple requests within 5 seconds ?

No. See the description here: https://www.eclipse.org/jetty/documentation/9.4.x/dos-filter.html