DoS attack using jm-ajax/get_listings to overload the server
-
PPH ver: 7.4.3
WP ver: 5.6.1
Plugin ver: 1.35.0===
Hi there,
We’ve got a client site using this plugin, and every few days the site is getting attacked from foreign IP addresses all sending POST requests to jm-ajax/get_listings.
Here’s an example from our access log:
162.158.158.127 - - [10/Apr/2021:17:49:41 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36" 162.158.158.127 - - [10/Apr/2021:17:49:41 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36" 162.158.158.127 - - [10/Apr/2021:17:49:41 +0100] "POST /jm-ajax/get_listings/ HTTP/2.0" 200 270 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36" 162.158.158.127 - - [10/Apr/2021:17:49:41 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36" 162.158.158.127 - - [10/Apr/2021:17:49:42 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36" 162.158.158.127 - - [10/Apr/2021:17:49:42 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36" 162.158.158.127 - - [10/Apr/2021:17:49:42 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36" 162.158.158.127 - - [10/Apr/2021:17:49:42 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36" 162.158.158.127 - - [10/Apr/2021:17:49:42 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36" 162.158.158.127 - - [10/Apr/2021:17:49:42 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36" 162.158.158.127 - - [10/Apr/2021:17:49:42 +0100] "POST /jm-ajax/get_listings/ HTTP/2.0" 200 270 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36" 162.158.158.127 - - [10/Apr/2021:17:49:43 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36" 162.158.158.127 - - [10/Apr/2021:17:49:43 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36" 162.158.158.127 - - [10/Apr/2021:17:49:43 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36" 162.158.158.127 - - [10/Apr/2021:17:49:43 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36" 162.158.158.127 - - [10/Apr/2021:17:49:43 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36" 162.158.158.127 - - [10/Apr/2021:17:49:43 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36" 162.158.158.127 - - [10/Apr/2021:17:49:43 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36" 162.158.158.127 - - [10/Apr/2021:17:49:44 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"You can see there are multiple requests each second, which eventually overloads our server’s resources.
We’ve put the site behind Cloudflare but it hasn’t prevented this attack (with the default Cloudlfare configuration).
Our current workaround is to manually block the IP address for each attack, but every new attack is coming from a new IP.
Can you suggest something we can try to mitigate this? Is there a way to limit POST requests to this URL to only the website itself?
Thanks!
Viewing 5 replies - 1 through 5 (of 5 total)
Viewing 5 replies - 1 through 5 (of 5 total)
- The topic ‘DoS attack using jm-ajax/get_listings to overload the server’ is closed to new replies.
