dynamically blocked rapid attacks

  • gjm6cB
  • Topic Author
  • Offline
  • New Member
  • New Member
7 years 3 months ago #4128 by gjm6cB
dynamically blocked rapid attacks was created by gjm6cB
Hi Jose,

I hope you're doing well. I have an interesting new problem - rapid attacks.

Web Firewall Logs is recording attacks where the IP targets the same URL, with the same request, multiple times per second. So maybe three (3) or more requests per second. To deal with some persistent attackers, I dropped the dynamic blacklist number so that the blacklist is triggered sooner. But there are instances where either the dynamic blacklist is not triggered soon enough, or it is overwhelmed, or it is triggered but too late to stop 1 or 2 additional hits...I'm not sure.

The point is that the logs show the first few requests, then in some cases the triggering of the dynamic blacklist, followed by 1-2 requests that are dynamically blocked. Or, the logs will show some number of requests over the amount that should trigger the dynamic blacklist, then the triggering of the blacklist.

I've experienced this now maybe 3-4 times in the past two months. I saw the previous post re dealing with multiple hits (that are not attacks) at the server level. I'm not sure if this is the same situation. If it is not, is there a way to control for frequency of attacks in a given time period?


Please Log in or Create an account to join the conversation.

7 years 3 months ago #4129 by Jose
Replied by Jose on topic dynamically blocked rapid attacks
Hi Saboor,

I'm fine thanks! I hope you're fine too!

I fear there is nothing to do here; we have the same situation that a server suffering a DdoS attack. This is not a bug but it's the normal behavior of a server processing all queries, so an attack like this must be stopped at server level.

Good news are that even in that situation all attacks are stopped by the firewall.


Please Log in or Create an account to join the conversation.

Time to create page: 0.119 seconds