Dynadot

Banning domain at server level

Spaceship Spaceship
Watch
Hello,

Recently I found out that a website I used to host never changed the name servers so they are still pointing at my server. The only reason I noticed recently is because this domain is now being used to attack my server. I am getting many, many thousands of requests from this domain every day.

I know I can block a domain using htaccess at the site level but I am not sure how to do it at the server level especially when it is due to the name servers..

I have contacted the owner and the domain registrar to change the name servers but I am getting no reply and it has been 3 or 4 days.

Does anyone know how I can go about stopping this? I have been banning the ip addresses but there are too many to ban all of them.

Thanks,
Rich
 
0
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
If these attacks are coming to a non-standard port, try blocking or filtering that port in your firewall. You might also want to look into different types of DoS protection. For my servers, CSF is free and has good server-level attack protection by limiting the number of connections from each IP, but it takes some time to learn how to configure it.
 
0
•••
there is not much you can do on your end when there are 1000's web browsers in the world say "we believe there is a website with this domain name on this ip" except to change the ip of your other sites (and stop listening on the current ip) if there is a real performance issue.

However why would you want to do that if there is a real traffic coming in, why not to redirect it to one of your existing sites, and hopefully it might convert into something useful. Why not even to forward it to a parked page for ad clicks?
 
0
•••
If you're on linux -

set up fail2ban to catch requests automatically
then use iptables to set up permanent bans for the problem ips

There's an isp in the netherlands that was the source for a hundred or more crawlwers when I set up a new server - doing the above has almost completely kept them away.
 
0
•••
fail2ban not going to help, OP is basically complaining about getting free traffic from all random IPs due to website that used to be hosted on that ip. I wish I had the same problem :)
 
0
•••
fail2ban not going to help, OP is basically complaining about getting free traffic from all random IPs due to website that used to be hosted on that ip. I wish I had the same problem :)

I saw "attack" and focused in on that - so much for multitasking.

I don't think you're going to be able to do anything about it at the server level (os pre-apache) since it's a request for a web site - apache will need to see the destination first to do the block. Maybe mod rewrite and bounce them somewhere else - if it's thousands not 10's of thousands apache shouldn't have a problem with that while you wait for the dns situation to be resolved.
 
0
•••
I disagree with those saying there is no solution. My servers have firewall level and web server level DoS protection. That means two layers of safety. They can limit the number of concurrent connections per IP and they can limit the overall number of connections to the server. Additionally, a competent ISP can put basic flood protection in the router or switch that a server is connected to.
 
0
•••
I disagree with those saying there is no solution. My servers have firewall level and web server level DoS protection. That means two layers of safety. They can limit the number of concurrent connections per IP and they can limit the overall number of connections to the server. Additionally, a competent ISP can put basic flood protection in the router or switch that a server is connected to.

You seem to be making the same mistake I did - it's not an attack by IP address, it's users looking for the wrong site, so blocking by incoming IP wouldn't be the solution.

He could set up a firewall / proxy server and have everything go through that, blocking all incoming traffic to that web address. But this seems like a lot of work for something that will be fixed once the nameserver situation is resolved - if the company handling the DNS is in US they may be at a lower staffing level due to the holiday weekend.
 
0
•••
read the OP post. These are legit requests for site that is not hosted there anymore. No firewall/DOS protection will help if DNS is mis-configured.
 
0
•••
read the OP post. These are legit requests for site that is not hosted there anymore. No firewall/DOS protection will help if DNS is mis-configured.

He could use a reverse squid proxy.

All this depends on the type of server / os and what level of access he has at the server end.

The best solution is to get the DNS host to fix their records. If it was me, I'd expect any server would be able to handle a few thousand additional requests each day if I did nothing more than set up a blank web page.
 
0
•••
You seem to be making the same mistake I did - it's not an attack by IP address, it's users looking for the wrong site, so blocking by incoming IP wouldn't be the solution.

I'll elaborate. I'm not suggesting blocking by incoming IP. DoS protection checks the activity of each IP and limits them when rules are triggered based on certain behavior (i.e. excessive number of connections withih a specified time interval). So, if there are multiple IP addresses each making an inappropriate amount of connections, then csf used on iptables would solve the problem.

If the IP addresses are each making a small amount of connections and won't individually trigger the DoS protection, then using CloudLinux will contain requests for that domain and limit the amount of system resources allowed for it. This strategy would involve creating a hosting account for the domain and squeezing it into some tight CloudLinux restrictions. The hosting account could also include a .htaccess file which redirects all requests for that domain to somewhere away from the server.

If the attack coming to a non-standard port, that port can be blocked.
 
0
•••
I'll elaborate. I'm not suggesting blocking by incoming IP. DoS protection checks the activity of each IP and limits them when rules are triggered based on certain behavior (i.e. excessive number of connections withih a specified time interval). So, if there are multiple IP addresses each making an inappropriate amount of connections, then csf used on iptables would solve the problem.

If the IP addresses are each making a small amount of connections and won't individually trigger the DoS protection, then using CloudLinux will contain requests for that domain and limit the amount of system resources allowed for it. This strategy would involve creating a hosting account for the domain and squeezing it into some tight CloudLinux restrictions. The hosting account could also include a .htaccess file which redirects all requests for that domain to somewhere away from the server.

If the attack coming to a non-standard port, that port can be blocked.

But his problem seems to be that it's normal web traffic - people getting referred to a site, so unless he sets up a reverse squid proxy or something else that can determine a target by requested host name, it still has to do what I said earlier - get to the web server that identifies it the intended URL and performs some sort of action - redirections, restricted resources, blank page, whatever.

All of this is sort of a pointless debate between everyone else because I haven't seen what he's running, precisely what 'thousands' means, and what kind of web server is getting bogged down by 'thousands' of simple misdirected site requests per day.

The only course of action I'd take other than a simple redirect to random youtube cat videos would be to both contact the DNS provider myself and have the registered IP / netblock owner contact them and say "stop sending traffic here - the site doesn't exist". Then again, the last time I had a server that might have trouble with a few thousand extra site requests was when I was running an old 486 DX4100 over an ISDN line.
 
0
•••
I found the setting in csf/lfd that will limit a certain IP to X amount of DNS requests and then block the IP for X amount of time. This example will block for 1 hour an IP that made 500 DNS requests.

Code:
LF_BIND = "500"
LF_BIND_PERM = "3600"

The LF_BIND value can be set lower in the event that each IP is only making X amount of connections. The other DDoS protections in csf might quell some of the activity as well given the right settings are used based on the activity of the requests.

Another possibility is using the csf.redirect file in csf to to a redirect at the firewall level instead of the web-server level. This would involve assigning a dedicated IP address to the domain and then configuring csf to redirect traffic for that IP. Let's say the dedicated IP is 1.1.1.1 and the IP to redirect to is 240.0.0.0 (which is a known unused IP). This would be the configuration syntax that would redirect traffic on port 53 (the DNS port):

Code:
1.1.1.1|53|240.0.0.0|53|tcp

As a precaution, this can be set in the BIND config under the internal view:

Code:
allow-transfer {"none";};

and this under the external view:

Code:
recursion no;

I don't recommend redirecting the web traffic for two reasons. One is that this puts strain on the firewall, DNS server and web server. Redirecting at the firewall will still allow a DNS connection for each request, but will not allow that traffic to reach the web server. The second reason is that redirecting the web traffic to another site could itself be considered an attack.
 
Last edited:
0
•••
Back