DOS Attack – PLEASE READ – Wordfence alerted but did not seem to block IP

  • Resolved alligatornest

    (@alligatornest)


    2 years, 2 months ago

    Good Morning,

    Last night we were hit with what I think was a DOS attack. We have Wordfence installed, but I had to manually block the IP in our .htaccess file to stop the attack. Here is the order of events that occurred.

    1. We received a warning notification from our host that 80% of our DB connections were being used.
    2. A few minutes later I received an email from Wordfence with the following:
      The Wordfence administrative URL for this site is: https://www.[sitename].com/wp-admin/admin.php?page=Wordfence (This is not our administrative URL, btw.) This notification was very helpful since it provided the IP of the source of the attack.

      A user with IP address 107.23.120.140 has been locked out from signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: 20. The last username they tried to sign in with was: ‘root’.
      The duration of the lockout is 4 hours.
      User IP: 107.23.120.140
      User hostname: ec2-107-23-120-140.compute-1.amazonaws.com
      User location: Ashburn, Virginia, United States
    3. I continued to monitor the database connections. I tried to kill the connections but they re-appeared. I was unable to log into the back end of the site.
    4. On the server I was able to see the logs and see that that IP was repeatedly hitting our site, specifically looking for the readme.txt file in different plugin folders, such as:
      plugins/woo-order-product-codes/readme.txt and plugins/nifty-desk/readme.txt – these are plugins we do not have installed. But regardless, our database and server were getting hammered.
    5. Since this was coming from a single IP, I was able to do a block in the .htaccess file. This stopped the attack.

    So my question is, what can I do to prevent this from happening again? The Wordfence notification said it blocked the IP, but it did not. Is there anyway I can further secure our site to prevent this from happening again? If this had been a more sophisticated attack from multiple IPs, how would we stop it?

    Any thoughts on this would be greatly appreciated.

    Thank you

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @alligatornest, thanks for highlighting your issue.

    If this is a true DDoS, or at the very least a huge increase in attempted page views, protection at the server’s end such as Cloudflare (to pick one) should be the most effective solution. I say this because Wordfence is an endpoint firewall, so can catch/restrict/block users using Brute Force or Rate Limiting settings but, when optimized, before the point your site tries to host content to them. Restrictions therefore are possible, but it can’t stop the requests from initially hitting your site, even if it ends up blocking them.

    If you have a low setting for “How long is an IP address blocked when it breaks a rule“, like 5 minutes, the IP would be served block pages until that expires. After expiry, it’d reach your site until Wordfence blocked it again and so on…

    I will be more than happy to share our recommended settings for you to trial, to see if it can help in your case. If you’re noticing many of these are spam registration and/or signin attempts, having reCAPTCHA enabled in Wordfence > Login Security > Settings should dramatically reduce amount of successful form submission attempts with “junk” data.

    I generally set my Rate Limiting rules to these values to start with:
    Rate Limiting Screenshot

    • If anyone’s requests exceed – 240 per minute
    • If a crawler’s page views exceed – 120 per minute
    • If a crawler’s pages not found (404s) exceed – 60 per minute
    • If a human’s page views exceed – 120 per minute
    • If a human’s pages not found (404s) exceed – 60 per minute
    • How long is an IP address blocked when it breaks a rule – 30 minutes

    I also always set the rule to Throttle instead of Block. Throttling is generally better than blocking because any good search engine understands what happened if it is mistakenly blocked and your site isn’t penalized because of it. Make sure and set your Rate Limiting Rules realistically and set the value for how long an IP is blocked to 30 minutes or so.

    With Brute Force settings, I recommend trying 3-5 for attempts and password resets, counted over 4 hours, with a 30 minute (or longer) lockout time period.

    Remember there is no hard and fast, one size fits all set of rules for every site. This is just a good place to start. During an attack you may want to make those rules stricter. If you see visitors, like search engine crawlers getting blocked too often, you might want to loosen them up a little.

    It can be frustrating to see so many requests, especially if there seems to be no logical reason, but this is actually quite a normal occurrence. You might find the following blog post interesting: https://www.wordfence.com/blog/2018/03/ask-wordfence-why-is-an-insignificant-site-like-mine-being-attacked/

    If it’s a persistent problem that maxes out the resources of your site, you should definitely speak with your hosting provider or server administrator to see if they can be detected before PHP (and therefore Wordfence) try to run.

    Thanks,
    Peter.

    Thread Starter alligatornest

    (@alligatornest)

    Hey wfpeter,

    I’ve implemented your suggestions on our sites. By default, it looks like those rate throttling limits were set to “unlimited”.

    Rate throttling should mitigate the issue I described in item 4 in my post. Correct?

    I really appreciate your help.

    Plugin Support wfpeter

    (@wfpeter)

    Hi @alligatornest, thanks for the follow-up.

    It absolutely should mitigate the issue as the IP should be served a block page before further server resources are used to load site content from the database etc. The longer you decide to block an IP that breaks a rule, the more that should help under periods of sustained activity.

    Thanks,
    Peter.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘DOS Attack – PLEASE READ – Wordfence alerted but did not seem to block IP’ is closed to new replies.