>
> Le 23 août 2024 à 17:12, Peter N. M. Hansteen <peter@bsdly.net> a écrit :
>
> On Fri, Aug 23, 2024 at 12:54:20PM +0200, Joel Carnat wrote:
>> I have a server which gets flooded with unsolicited HTTP requests. So far, I use relayd filters to identify those requests and block them, at relayd level. It works as they never reach the web server but relayd is still working to block them.
>>
>> I thought of parsing relayd logs to get those IPs and add them to a pf block table, using an automated script.
>
> If the problem is that there are a lot of requests from the same hosts coming in rapid-fire, it is
> possible that state tracking rules with overloading could be the thing to try.
>
> The other thing that comes to mind is to put together something that parses the logs
> and adds offenders to a table of addresses that PF will block.
>
> Something along the lines of what is described in https://nxdomain.no/~peter/forcing_the_password_gropers_through_a_smaller_hole.html
> (also prettified but tracked at https://bsdly.blogspot.com/2017/04/forcing-password-gropers-through.html)
> could be what you need (some assembly required, obviously).
>
> - Peter
Unfortunately, those are not single IP spamming. It looks more like infected computers and/or computer farms sending individual requests at "normal" rate. There are just thousands of them.
The only way to identify them is by looking at User-Agent and/ou HTTP requests body. So pf only won't be enough there.
I thought I could use some matching relayd rules that would tag the connections so that pf blocks them. But it seems pftag is not made for this.
Writing a script and feed it using syslog is doable. But I hoped I could use only relayd and pf.
No comments:
Post a Comment