Project

General

Profile

Support #8576

wt application using wthttpd that is currently suffering a DDOS attack

Added by Adrian McElligott 6 months ago. Updated 6 months ago.

Status:
New
Priority:
Urgent
Assignee:
-
Target version:
-
Start date:
05/23/2021
Due date:
% Done:

0%

Estimated time:

Description

I have a wt application using wthttpd that is currently suffering a DDOS attack running on ubuntu 20.04 at http://gd.geobytes.com:80/GetCityDetails (Fortunately they are not hitting the HTTPS port yet - which at the time of writing was still operating.)

netstat shows about 4000 established connections from what appears to be spoofed IP Addresses as I can't traceroute back to them. What I am hoping for is a way to force-close these connections or cause them to timeout very quickly.

I have tried 2 in wt_config.xml

FYI: the wt application only uses classes derived from Wt::WResource, and does not derive from WApplication.

Any tips on how I might be able to either configure the server to withstand this kind of attack or how I might from within the code terminate an established connection as soon as I establish that it does not have a valid payload would be greatly appreciated.

In any case, thank you for your consideration.

#1

Updated by Korneel Dumon 6 months ago

Hi Adrian,

I'm not an expert in these issues, so I may be missing something. But if you don't have WApplication, Wt should not keep open connections. The timeout parameter in wt_config.xml is related to cleanup of dead WApplications. A WResource is generally not stateful and the request will end as soon as WResource::handleRequest() is finished.

#2

Updated by Adrian McElligott 6 months ago

Thanks Korneel,

I don't think that it exist, but what would be handy is a way to force close the underlying socket. As the DDOS uses HTTP1/1 "keep alive" to keep the connection open, they are overwhelming the server with connects to a WResource. They are not application-level connections. I wonder if anyone else has had to deal with this, and if so how they did it. My current thinking is to relocate from wthttpd to behind apache or nginx, and then to use some kind of WAF (web application firewall) extension or plugin from there.

Thanks again for your help, I appreciate it.
Kind Regards
Adrian

Also available in: Atom PDF