Hello, this is to share with you that I am experiencing a ddos attack for a webserver I manage.
It is a Drupal/PHP/Nginx platform that is flooded with GET requests such as: GET /es/search?f%5B0%5D=language%3Aes&f%5B1%5D=regions%3A4490&f%5B2%5D=regions%3A4511&f%5B3%5D=regions%3A4538&f%5B4%5D=regions%3A4556&f%5B5%5D=regions%3A4567&f%5B6%5D=regions%3A4593&f%5B7%5D=regions%3A4601&f%5B8%5D=regions%3A4603&f%5B9%5D=regions%3A4620&f%5B10%5D=regions%3A4631&f%5B11%5D=regions%3A4674&f%5B12%5D=type_of_content%3A4697&f%5B13%5D=type_of_content%3A4710&f%5B14%5D=type_of_content%3A4857&f%5B15%5D=type_of_content%3A4862&f%5B16%5D=type_of_content%3A4943&f%5B17%5D=type_of_content%3A6249&f%5B18%5D=type_of_content%3A6423&f%5B19%5D=wcc_programmes%3A4882&f%5B20%5D=wcc_programmes%3A4893 It targets the search module which does not cache the data and means resource impact. This involves more than 12'000 individual ip addresses, spread over CN, IN, KO, MX, and US. A list of the subnet part involved can be found here[0]. (list is of course gorwing over time, attack is not over and spread of hosts continue) I plan to further investigate the networks involved, how likely they are cloud nodes or infected hosts for instance. I am on the AS3303/Swisscom BTW. Is anyone experiencing such traffic? This is not huge in terms of bw, but scaled adequately to eat servers cpu resources. Regards. [0] https://www.mbuf.net/files/f/ebbc54f52b564824bf5e/ -- |_|0|_| Julien MABILLARD - Matrix: @jma:matrix.mbuf.net - XMPP: j...@tls.mbuf.net |_|_|0| OpenPGP fingerprint: 1E47 513E 8B00 8BC5 E874 23E4 54A4 32FB 260A 2D41 |0|0|0| ssb: @O7yM/4Y0Jcp1uZToeis2AKApyOvb8ZHkoXuAh0wPcAM=.ed25519 _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog