Gossamer Forum
(Advanced Search)
for
Home : Products : Gossamer Links : Discussions :

How to combat DoS attacks on review.cgi ?

Jul 4, 2005, 6:13 PM
tamouh
New User (2 posts)
Jul 4, 2005, 6:13 PM
Post #1 of 5
Views: 360
Shortcut
Quote Reply
How to combat DoS attacks on review.cgi ?
One of our clients is receiving tons of DoS attacks on his review.cgi file.

I was wondering if anyone could share an experience or direct me towards a solution to help lessen the impact.

Here are some of the logs:
148-12 - 0/0/3 . 0.59 506 0 0.0 0.00 0.00000 198.144.206.40 www.SiteName.com GET /cgi-bin/review.cgi?id=1413&add_review=1 HTTP/1.1
149-12 - 0/0/1 . 0.00 506 0 0.0 0.00 0.00 198.144.208.38 www.SiteName.com GET /cgi-bin/review.cgi?id=1414&add_review=1 HTTP/1.1
150-12 - 0/0/1 . 0.00 502 0 0.0 0.00 0.00 198.144.208.38 www.SiteName.com GET /cgi-bin/review.cgi?id=1418&add_review=1 HTTP/1.1
151-12 - 0/0/1 . 0.00 501 0 0.0 0.00 0.00 198.144.208.38 www.SiteName.com GET /cgi-bin/review.cgi?id=1420&add_review=1 HTTP/1.1
152-12 - 0/0/1 . 0.00 504 0 0.0 0.00 0.00 198.144.206.40 www.SiteName.com GET /cgi-bin/review.cgi?id=1415&add_review=1 HTTP/1.1

The attacker is: 198.144.208.38 and as you notice they're always using a different ID= so it is not easily detected.

I looked over the code and this is what is there. This had also happened on jump.cgi :

Code:
#!/usr/local/bin/perl
# ==================================================================
# Links SQL - enhanced directory management system
#
# Website : http://gossamer-threads.com/
# Support : http://gossamer-threads.com/scripts/support/
# CVS Info : 087,064,087,089,087
# Revision : $Id: review.cgi,v 1.4 2001/12/30 19:33:05 alex Exp $
#
# Copyright (c) 2001 Gossamer Threads Inc. All Rights Reserved.
# Redistribution in part or in whole strictly prohibited. Please
# see LICENSE file for full details.
# ================================================================== use strict;
use lib '/home/SiteName/public_html/cgi-bin/admin';
use Links qw/$CFG/;
use Links::User::Review; local $SIG{__DIE__} = \&Links::fatal; Links::init('/home/fatty/public_html/cgi-bin/admin');
Links::init_user(); if (GT::Plugins->dispatch ($CFG->{admin_root_path} . '/Plugins', 'check_request', \&Links::check_request)) {
GT::Plugins->dispatch ($CFG->{admin_root_path} . '/Plugins', 'handle_review', \&Links::User::Review::handle);
}


We already use mod_dosevasive and other anti-DoS methods, but this did not kick in until the server was overloaded really.

Any Help is much appreciated...

Thx,

Tamouh

Last edited by:

tamouh: Jul 4, 2005, 6:29 PM
Jul 4, 2005, 9:24 PM
fuzzy logic
Enthusiast (854 posts)
Jul 4, 2005, 9:24 PM
Post #2 of 5
Views: 350
Shortcut
Quote Reply
Re: [tamouh] How to combat DoS attacks on review.cgi ? In reply to
While I have no experience with this, I believe you should be albe to do a PRE hook on jump.cgi and review.cgi. What you can do is run a IP log in a new table to keep track of requests. Any IP that has more than X number of requests during Y period of time could be be banned temporarily or permanently.

Philip
------------------
Limecat is not pleased.
Jul 5, 2005, 12:52 AM
Andy
Veteran / Moderator (17366 posts)
Andy's avatar
Jul 5, 2005, 12:52 AM
Post #3 of 5
Views: 337
Shortcut
Quote Reply
Re: [tamouh] How to combat DoS attacks on review.cgi ? In reply to
Mmm... you could try adding this in after the "use lib" line;

Code:
if ($ENV{'REMOTE_ADDR'} =~ /198\.144\.208\.*/) {
print "Content-Type: text/html \n\n";
print "ERROR: No access!";
exit;
}

This *should* stop people before the whole script is processed (which uses the most CPU/memory). However, all they would need to do... is change their IP address (I've been getting attacked for quite a while now, but with more brute force DDoS attacks). We've now resorted to an anti-DDoS router... but it wasn't particually cheap Unimpressed

A plugin would evade the need to modify the .cgi script, *BUT* it would also still need to run all the other parts of the script (which is whats trying to be avoided), as the user needs to be verified/ run though GLinks still.

Hope that helps.

Cheers

Andy (mod)
andy@ultranerds.co.uk

IMPORTANT: I've now moved to ultranerds.co.uk, and the .com will no longer work!
Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package (plugins total "value" $3,325 & rising, for just $350)| GLinks ULTRA Package PRO (plugins total "value" $5,625 & rising, for just $500)
Support Forum | Links SQL Plugins | DMOZ Dumps | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!
Compare our different Plugin packages *new* Free CSS Templates
Jul 5, 2005, 2:49 AM
zaaron
Novice (41 posts)
Jul 5, 2005, 2:49 AM
Post #4 of 5
Views: 333
Shortcut
Quote Reply
Re: [tamouh] How to combat DoS attacks on review.cgi ? In reply to
Why you dont give a try with .htaccess this is more efficient and will cause less server load than .cgi

Simply put ot top of your .htaccess

Code:
order deny,allow
deny from 198.144.208.38 #Deny DoS IP
allow from all

zaaron

---------
GetLokal Reviews
Jul 6, 2005, 11:33 AM
tamouh
New User (2 posts)
Jul 6, 2005, 11:33 AM
Post #5 of 5
Views: 314
Shortcut
Quote Reply
Re: [zaaron] How to combat DoS attacks on review.cgi ? In reply to
Thanks for the feedback, but as Andy mentioned, the problem is not blocking a single IP address, I can do that on the server side.

It is a matter of the script using huge resources by a simple DoS attack. The attack last for less than 5 minutes until our server blocks it, but during these 5 minutes the server almost halts.

If the IP address keeps changing, doing a manual blocking of IPs is useless. So I was wondering if there were any type of plugins that does a certain verification before it processes the whole review.cgi file.

Thx