I have had a botnet pounding on my server, trying to exploit a particular peice of PHP code in my support site. The botnet swarmed my server and overflowed it by hitting this peice of code tens of thousands of times per hour. I've since removed the entire code snippet and taken the support site down for now, so the load this botnet is putting on my server is greatly reduced because the server is now returning a 404 error for every hit. I'd block the IP addresses, but the botnet is pretty vast and that would take forever of perusing through the logs and adding hundreds of IPs a day, this is not feasable.
However the actual peices of code that they are slamming are quite precise; most of the requests are for one particular file and there are a few requests for another copy of the same file.
What I am interested in doing is replacing this peice of source that it's looking for (it has to be PHP, not ASP, because its calling a .php file) with another peice of source, that adds the botnet machine to the IP block list in IIS. Effectively, I think, this would reduce the load on the server because instead of looking for the unfound file each time it would simply return a 403 access forbidden code, I could even twig a custom error page and keep it below say 50 bytes or turn off the returned error page altogether.
However I'm not sure at all how to do this. I'm not a strong PHP programmer but I can fumble my way around. Directly accessing the metabase is possible from ASP although I'm not quite sure on how to do that; and calling an ASP script from PHP to process the ban would probably result in more load than just returning a 404. IIS7 does allow however for a command line with arguments to add the IP restriction to the metabase, so if I could get PHP to execute a command line argument and insert the IP address variable into it that would result in a single instruction to add them to the block list, a second request would net a 403 with minimal load.
However I have no idea how to go about this. I'm not sure if PHP can execute a command line argument at all, as that would potentially be a huge security risk and they may have just not included it in the PHP engine for exactly that reason alone. However the code to do such a thing if it is in fact possible I beleive would be very small; it would merely collect the IP, execute the command line arg, and terminate. Any re-request would then be handled by IIS directly.
My support site is not even used by my clients anymore, its been down ever since I noticed the botnet traffic, so pretty well anything hitting this file is on the botnet and is unlikely to be a result of search. The collateral damage of banning anyone who hits this file should be nil.
Any idea how I might be able to go about this? It seems like it should be rediculously simple on the surface, but maybe that's my limited knowledge of PHP.
IIS7/Win32-Using PHP code to add IP to IIS ban list?
Moderator: General Moderators
-
computerology
- Forum Newbie
- Posts: 3
- Joined: Mon Aug 18, 2008 2:44 pm
Re: IIS7/Win32-Using PHP code to add IP to IIS ban list?
I have an even better suggestion: change the script the botnet is looking for to something like this:
That way the scanning threads hitting your server will be tied up only to eventually time out (assuming their timeout is under 1 hr, which is reasonable). Eventually, it is likely that the botnet will consider you a "Dead host" and leave you alone. In the meantime, you are doing everyone else a favor by tying up the resources of the botnet and limiting how many hosts they can hit at once.
Code: Select all
sleep(3600);Re: IIS7/Win32-Using PHP code to add IP to IIS ban list?
Wont this sleep() approach (assuming that the attacker just bombards you with attempts anyway without waiting for a response) just tie up your server with sleeping connections.
Presumably, a tightly grouped sequence of attacks could then tie up all available connections, effectively preventing the server from responding to legit users?
I might be wrong on that though. I read it somewhere a while back when I was looking into my security systems.
Presumably, a tightly grouped sequence of attacks could then tie up all available connections, effectively preventing the server from responding to legit users?
I might be wrong on that though. I read it somewhere a while back when I was looking into my security systems.
Re: IIS7/Win32-Using PHP code to add IP to IIS ban list?
I have to admit that I have never tried it, but it is definitey the sort of thing you would want to keep a very close eye on if you ever implemented it. The goal would be that after a short while the botnet would give up and consider you a "dead" host, but obviously you would have to monitor it closely to make sure it doesnt tie up all of your own server's resources.
-
computerology
- Forum Newbie
- Posts: 3
- Joined: Mon Aug 18, 2008 2:44 pm
Re: IIS7/Win32-Using PHP code to add IP to IIS ban list?
Well I have had the php scripts they are hitting returning 404s for about two months now, and the botnet alone is generating 450K worth of logs per day. That may not seem like a lot, but my server isn't designed for high load, it's local here at my business on my corporate cable internet connection so I only have 1Mbit upstream - plus its configured as a multiuse server so it's running a whole lots of stuff.
The botnet is obviously not very adaptive or it would have given up on the 404 codes long ago. I had considered having the pages return the URL of a large image file somewhere else much, much larger than my server that could host the traffic but then I'd be merely DDoSing someone else.
So really rather than a sleep thread I'd much rather just add them to the IIS ACL so their requests are all automatically rejected.
The botnet is obviously not very adaptive or it would have given up on the 404 codes long ago. I had considered having the pages return the URL of a large image file somewhere else much, much larger than my server that could host the traffic but then I'd be merely DDoSing someone else.
So really rather than a sleep thread I'd much rather just add them to the IIS ACL so their requests are all automatically rejected.
Re: IIS7/Win32-Using PHP code to add IP to IIS ban list?
Given what you have tried, your approach would make a lot more sense. The only problem is that windows apps (like IIS) are generally not very friendly to being configured programmatically, but I could be wrong on this.
Are the IP's not even coming from the same subnet?
Are the IP's not even coming from the same subnet?
-
computerology
- Forum Newbie
- Posts: 3
- Joined: Mon Aug 18, 2008 2:44 pm
Re: IIS7/Win32-Using PHP code to add IP to IIS ban list?
no, I thought of that. If I could block say Cox (where some of them come from) and get rid of most of them I would.
But the ranges are from 18.x.x.x all the way up to 196.x.x.x so a netblock would pretty well block everyone but the fringes
There is a way to do direct metabase edit in IIS and then force it to refresh the metabase (the metabase is 100% XML now), there's apparently another way to do it direct from the command line, so pounding a CLI entry using PHP should work (and would be the best method). I favour that to appending entries to the metabase, one reason because I dont want the metabase to get cluttered with a bunch of bans at the bottom along with all the resulting open close tags that would have to be added each time so it wouldnt get corrupted, and two because I'd rather IIS add it to the metabase on it's own.
I dont know the exact CLI entry to use but I am pretty sure it can be done.
But the ranges are from 18.x.x.x all the way up to 196.x.x.x so a netblock would pretty well block everyone but the fringes
There is a way to do direct metabase edit in IIS and then force it to refresh the metabase (the metabase is 100% XML now), there's apparently another way to do it direct from the command line, so pounding a CLI entry using PHP should work (and would be the best method). I favour that to appending entries to the metabase, one reason because I dont want the metabase to get cluttered with a bunch of bans at the bottom along with all the resulting open close tags that would have to be added each time so it wouldnt get corrupted, and two because I'd rather IIS add it to the metabase on it's own.
I dont know the exact CLI entry to use but I am pretty sure it can be done.