I can't find it, but someone wrote a script to decode that style of hacking. 
For the hacks I was decoding, they were RDP hack attempts. The hackers just 
"spray" their attacks. Often they are not meaningful to your server.

I have Nginx maps set up to match requests that are not relevant to my server. 
For instance I don't run WordPress, so anything WordPress related gets a 444 
response. On a weekly basis I pull all the IP addresses that generated a 400 or 
444 and run them through a IP lookup website. If they come back to a hosting 
company, VPS, or basically anything not an ISP, I block the associated IP space 
via my firewall. The only reason I can do this weekly is I have blocked so much 
IP space already that I don't get many hackers.

At a minimum I suggest blocking all Amazon AWS. No eyeballs there, just 
hackers. Also block all of OVH. You can block any of the hosting companies 
since there are no eyeballs there. This blocks many VPNs as well but nobody 
says you have to accept traffic from VPNs. 

Firewalls are very CPU efficient though they do use a lot of memory. In the 
long run blocking all those hackers improves system efficiency since nginx does 
have to parse all that nonsense.

I have scripts to pull the hacker IP out of the log file but a have a 
nonstandard log format. If you can create a file of IPs, this site will return 
the domains:

https://www.bulkseotools.com/bulk-ip-to-location.php

If you see a domain that is obviously not an ISP, you can find their entire IP 
space using bgp.he.net

This sounds more complicate than it is. I have it down to about 20 minutes a 
week. 

You can also block countries in the firewall. Some people block all of China. I 
don't but that does cut down on hackers. 



  Original Message  


From: [email protected]
Sent: August 24, 2020 11:06 AM
To: [email protected]
Reply-to: [email protected]
Subject: Re: Is this an attack or a normal request?


> Is this kind of DDOS attack or a legitimate request(which my server returns
> 400 for them)?

That's typically how various unicode characters are hex encoded. If
you aren't expecting that kind of input, then yes it is likely an
attack (probably trying to exploit an unknown specific piece of
software). Welcome to the internet where everything connected is
bombarded 24/7 from everything else with random attacks.

That's why it's important to keep your server (and wordpress) up to date.
_______________________________________________
nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx

Reply via email to