Blocking IPs that repeatedly hit the same URL


#1

A client’s website is currently under attack, and I’ve been called in to fix it.

A huge number of IPs (easily over 5,000) is constantly hitting /login, presumably trying to bruteforce their way in.

I’ve changed the site so the page returns a 500 error, but they’re not giving up. Obviously this is no good for the real users, who now can’t log in.

Load balancing is done via HAProxy, which I have very little knowledge of (although I have a lot more than I did a few hours ago). I’ve tried lots of sensible things that I’ve found online but none seem to have helped, probably because there is such a big block of IPs performing the attack.

Onto the question, then: How can I reject an IP if it hits /login more than X times in Y seconds?

And, subpoint - how can I see a log of rejections so I know it’s actually working?

Here is a sample of the haproxy.log:

    Jun  3 14:24:50 hap-server haproxy[11831]: 46.161.62.79:15290 [03/Jun/2017:14:24:49.505] www-https-test~ www-backend/www-03 751/0/202/38/991 500 220 - - ---- 428/428/120/38/0 0/0 "GET /login HTTP/1.1"
    Jun  3 14:24:50 hap-server haproxy[11831]: 46.161.63.132:47804 [03/Jun/2017:14:24:49.505] www-https-test~ www-backend/www-04 751/0/202/38/991 500 220 - - ---- 428/428/119/42/0 0/0 "GET /login HTTP/1.1"
    Jun  3 14:24:50 hap-server haproxy[11831]: 46.161.62.43:53176 [03/Jun/2017:14:24:49.505] www-https-test~ www-backend/www-02 751/0/202/38/991 500 220 - - ---- 428/428/118/38/0 0/0 "GET /login HTTP/1.1"

#2

You’ll want to google for how to do rate limiting with HAProxy. There are several tutorials that look like they explain how to rate limit requests to certain URLs from IP addresses; for example, here and here.