How to stop DOS Attacks - 10+ login requests from one IP per second, for hours on end

[dalbert]

Recent issue is that we have remote servers initiating 10+ logins a second on a continuous basis.. This eventually corrupts the sessions portion of the database, and causes the forum to go down.

I looked but don't see a way, to limit / block these in the config...  Is there some way this can be configured, or added as a security fix?  i.e. more than 1 login a second from any given IP, would get blocked by the IPS software / more than 100 per 30min timespan - ideally logged as an offending IP somewhere for reference.

 

Thanks.

[Makoto]

Search for "bruteforce" in the AdminCP and it will pull up the settings page for this,

But too many failed logins shouldn't be corrupting your sessions table or anything of the sort, this sounds like a bandaid for a bigger underlying issue in your server environment, if the brute force attempts are even causing it to begin with.

Edited October 13, 2023 by Makoto

[Cedric V]

Are you running CloudFlare?

[Randy Calvert]

51 minutes ago, dalbert said:

I looked but don't see a way, to limit / block these in the config...  Is there some way this can be configured, or added as a security fix?  i.e. more than 1 login a second from any given IP, would get blocked by the IPS software / more than 100 per 30min timespan - ideally logged as an offending IP somewhere for reference.

If you're looking to do something like that, I would recommend not trying to do that within the software itself.  Instead you should be using some sort WAF.

[Marc]

As mentioned already, this is something you need to be sorting out at a server level, rather than a software level. If they are able to hit your site to do that many logins, you already have an issue way before it gets to the software.

[dalbert]

We have lock accounts set to 4, but I believe that would just lock the account that was tried, not refuse the connection, so if trying different addresses, or just submitting junk it won't block.

We have 2x Invision forums - currently this is only an issue at one. The sessions portion of the database becomes corrupted when this happens, and we have to rebuild it. Server load jumps upwards of 70. 

ISP is throwing the blame at the software, saying it should have a mechanism to deal with it..... and the lP info for the offending connections can only be noted once the traffic becomes heavy - at which point the IP/Subnet can put in the firewall database.

 

[Dll]

I'd really recommend cloudflare. If your host is relying on manually putting IP addresses into a firewall to block things like this, then that's always going to be a struggle. 

[Miss_B]

1 hour ago, dalbert said:

We have lock accounts set to 4, but I believe that would just lock the account that was tried, not refuse the connection, so if trying different addresses, or just submitting junk it won't block.

As it happened past week I had coded an app for someone who had the same issue like you do, but using a different software. The app recorded all non action visits (aka board index, individual boards and topics) from an IP address within the session data.  If the visitor was recorded as having more hits than a specified number of times per minutes, the app placed an automatically ban in the .htaccess file.  The default was set for one hit every 2 seconds which  is a reasonable time frame for non robot actions.

This helped a lot for them. If you are interested I can code it for Ipb too for a fee. Please contact me in private should you be interested to have the app developed for your forum.

[Makoto]

Traffic spikes should never "corrupt" your database. Increases in load can slow the server down, connections flooding and exceeding your MySQL servers configured max allowed connections can cause the website to "crash" and display an error page when they can't connect to the database, running out of memory can cause your server to resort to swap space and slow your system down to a crawl or get to the point where Linux starts forcefully killing processes to free up memory, but none of these scenarios (excluding possibly the last if the MySQL process is forcefully terminated, which is a case where your server is not properly configured in regards to maximum allowed MySQL conenctions and etc.) should result in database tables becoming corrupted.

This is not normal behavior. There is something wrong with your systems configuration if this is a frequent problem.

But outside of that, yes, I recommend looking into Cloudflare to help block illegitimate traffic and reduce the load on your website. It's not a solution to whatever is causing your database to become corrupted, but it's a good idea.

However, your host putting the blame entirely on the software is just factually wrong. If they're trying to suggest it's normal for this to happen, they are absolutely incorrect.

Edited October 14, 2023 by Makoto

[tsruha]

I've been trying to reach you. Please check your messages. Thanks.

On 10/13/2023 at 8:37 PM, Makoto said:

Traffic spikes should never "corrupt" your database. Increases in load can slow the server down, connections flooding and exceeding your MySQL servers configured max allowed connections can cause the website to "crash" and display an error page when they can't connect to the database, running out of memory can cause your server to resort to swap space and slow your system down to a crawl or get to the point where Linux starts forcefully killing processes to free up memory, but none of these scenarios (excluding possibly the last if the MySQL process is forcefully terminated, which is a case where your server is not properly configured in regards to maximum allowed MySQL conenctions and etc.) should result in database tables becoming corrupted.

This is not normal behavior. There is something wrong with your systems configuration if this is a frequent problem.

But outside of that, yes, I recommend looking into Cloudflare to help block illegitimate traffic and reduce the load on your website. It's not a solution to whatever is causing your database to become corrupted, but it's a good idea.

However, your host putting the blame entirely on the software is just factually wrong. If they're trying to suggest it's normal for this to happen, they are absolutely incorrect.

Makoto, I've been trying to reach you. Please check your messages. Thanks.