Gossamer Forum
(Advanced Search)
for
Home : Products : Gossamer Links : Discussions :

How to combat DoS attacks on review.cgi ?

Jul 4, 2005, 6:13 PM
tamouh
New User (2 posts)
Jul 4, 2005, 6:13 PM
Post #1 of 5
Views: 2753
Shortcut
Quote Reply
How to combat DoS attacks on review.cgi ?
One of our clients is receiving tons of DoS attacks on his review.cgi file.

I was wondering if anyone could share an experience or direct me towards a solution to help lessen the impact.

Here are some of the logs:
148-12 - 0/0/3 . 0.59 506 0 0.0 0.00 0.00000 198.144.206.40 www.SiteName.com GET /cgi-bin/review.cgi?id=1413&add_review=1 HTTP/1.1
149-12 - 0/0/1 . 0.00 506 0 0.0 0.00 0.00 198.144.208.38 www.SiteName.com GET /cgi-bin/review.cgi?id=1414&add_review=1 HTTP/1.1
150-12 - 0/0/1 . 0.00 502 0 0.0 0.00 0.00 198.144.208.38 www.SiteName.com GET /cgi-bin/review.cgi?id=1418&add_review=1 HTTP/1.1
151-12 - 0/0/1 . 0.00 501 0 0.0 0.00 0.00 198.144.208.38 www.SiteName.com GET /cgi-bin/review.cgi?id=1420&add_review=1 HTTP/1.1
152-12 - 0/0/1 . 0.00 504 0 0.0 0.00 0.00 198.144.206.40 www.SiteName.com GET /cgi-bin/review.cgi?id=1415&add_review=1 HTTP/1.1

The attacker is: 198.144.208.38 and as you notice they're always using a different ID= so it is not easily detected.

I looked over the code and this is what is there. This had also happened on jump.cgi :

Code:
#!/usr/local/bin/perl
# ==================================================================
# Links SQL - enhanced directory management system
#
# Website : http://gossamer-threads.com/
# Support : http://gossamer-threads.com/scripts/support/
# CVS Info : 087,064,087,089,087
# Revision : $Id: review.cgi,v 1.4 2001/12/30 19:33:05 alex Exp $
#
# Copyright (c) 2001 Gossamer Threads Inc. All Rights Reserved.
# Redistribution in part or in whole strictly prohibited. Please
# see LICENSE file for full details.
# ================================================================== use strict;
use lib '/home/SiteName/public_html/cgi-bin/admin';
use Links qw/$CFG/;
use Links::User::Review; local $SIG{__DIE__} = \&Links::fatal; Links::init('/home/fatty/public_html/cgi-bin/admin');
Links::init_user(); if (GT::Plugins->dispatch ($CFG->{admin_root_path} . '/Plugins', 'check_request', \&Links::check_request)) {
GT::Plugins->dispatch ($CFG->{admin_root_path} . '/Plugins', 'handle_review', \&Links::User::Review::handle);
}


We already use mod_dosevasive and other anti-DoS methods, but this did not kick in until the server was overloaded really.

Any Help is much appreciated...

Thx,

Tamouh

Last edited by:

tamouh: Jul 4, 2005, 6:29 PM
Jul 4, 2005, 9:24 PM
fuzzy logic
Enthusiast (854 posts)
Jul 4, 2005, 9:24 PM
Post #2 of 5
Views: 2642
Shortcut
Quote Reply
Re: [tamouh] How to combat DoS attacks on review.cgi ? In reply to
While I have no experience with this, I believe you should be albe to do a PRE hook on jump.cgi and review.cgi. What you can do is run a IP log in a new table to keep track of requests. Any IP that has more than X number of requests during Y period of time could be be banned temporarily or permanently.

Philip
------------------
Limecat is not pleased.
Jul 5, 2005, 12:52 AM
Andy
Veteran / Moderator (18441 posts)
Andy's avatar
Jul 5, 2005, 12:52 AM
Post #3 of 5
Views: 2621
Shortcut
Quote Reply
Re: [tamouh] How to combat DoS attacks on review.cgi ? In reply to
Mmm... you could try adding this in after the "use lib" line;

Code:
if ($ENV{'REMOTE_ADDR'} =~ /198\.144\.208\.*/) {
print "Content-Type: text/html \n\n";
print "ERROR: No access!";
exit;
}

This *should* stop people before the whole script is processed (which uses the most CPU/memory). However, all they would need to do... is change their IP address (I've been getting attacked for quite a while now, but with more brute force DDoS attacks). We've now resorted to an anti-DDoS router... but it wasn't particually cheap Unimpressed

A plugin would evade the need to modify the .cgi script, *BUT* it would also still need to run all the other parts of the script (which is whats trying to be avoided), as the user needs to be verified/ run though GLinks still.

Hope that helps.

Cheers

Andy (mod)
andy@ultranerds.co.uk
Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!
Jul 5, 2005, 2:49 AM
zaaron
Novice (41 posts)
Jul 5, 2005, 2:49 AM
Post #4 of 5
Views: 2650
Shortcut
Quote Reply
Re: [tamouh] How to combat DoS attacks on review.cgi ? In reply to
Why you dont give a try with .htaccess this is more efficient and will cause less server load than .cgi

Simply put ot top of your .htaccess

Code:
order deny,allow
deny from 198.144.208.38 #Deny DoS IP
allow from all

zaaron

---------
GetLokal Reviews
Jul 6, 2005, 11:33 AM
tamouh
New User (2 posts)
Jul 6, 2005, 11:33 AM
Post #5 of 5
Views: 2609
Shortcut
Quote Reply
Re: [zaaron] How to combat DoS attacks on review.cgi ? In reply to
Thanks for the feedback, but as Andy mentioned, the problem is not blocking a single IP address, I can do that on the server side.

It is a matter of the script using huge resources by a simple DoS attack. The attack last for less than 5 minutes until our server blocks it, but during these 5 minutes the server almost halts.

If the IP address keeps changing, doing a manual blocking of IPs is useless. So I was wondering if there were any type of plugins that does a certain verification before it processes the whole review.cgi file.

Thx