Here's the deal: I have a persistent Chinese botnet that spams my forum (running on an Ubuntu 12.04.2 server on nginx, etc). I've been using UFW (Ubuntu's "Uncomplicated FireWall") for managing the firewall, just as a simple way to not have to deal with iptables.
I've identified the extremely consistent and unique (not to mention dumb) URL that it attempts to load each time a bot hits, and from that made a cron to parse the access logs every hour and find new attackers, and ufw deny from [ip-address]
on them.
However, the onslaught just doesn't stop. It's incredible. I'm logging each blocked IP, and it's up to almost 17,000 IPs. 98% of the IPs are from China, with a few here and there from other countries.
This appears to be working well: in practice, all those attacks are blocked, and the connections have gone back to normal, traffic has gone down exponentially, and the effective DDOS has stopped (if I let these clients through, the volume and speed of the requests is staggering).
UFW also seems to be okay with it. Nothing is slowing down, requests are being served with the same speed, latency hasn't suffered as far as I can tell. I've tried combining the individual IPs into ranges as much as possible, but it would be difficult to figure out all of them, and would block an order of magnitude more IPs than are actually causing problems.
So, some questions:
- How many rules (presumably iptables when all is said and done) can I reasonably have before I should be worried?
- Is there any possible negative effect to continuing this exact practice?
- Any suggested changes or improvements?
- Does anyone know about this bot? It's attacking bbPress. Is there a better way to prevent attacks like this rather than treat the symptoms?
I don't want to block all of China, unfortunately, since I know we have users there...
1-2 .Theoretically as many as you like.Practically you'd first start observing some memory issues because all these rules have to be loaded. Then you'd get to the real trouble of maxing out your CPU's because you'd have to check all these rules until you hit the one that matches. Also depends on what you are logging (i.e. are you logging everything, all DROP's,and so on?)
3.Use IP sets, block whole ip blocks and/or combine with hardware firewall.
4.I am not familiar with bbPress but there's a bunch of things that you can do to mitigate attacks, from caching to pre-blocking related ip blocks to the botnet.
You ask for possible improvements, and the thing I would do first is to speed up the feedback loop. In my eperience, DDOSes go away quicker if they quickly see they're unsuccesful. So respond to requests for that url with a 404, and immediately block them (one way to achieve this is to stick the IP address in a beanstalk tube and turn your cronjob into a continuously running thing that polls that tube and blocks).
This will nor affect the memory impact (even make it a bit worse) but save CPU load: If you don't already do that you should whitelist the rest of the world instead of checking all incoming connections against your long list of blocked IPs.