Support

Admin Tools

#22321 malicious scan

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by tampe125 on Tuesday, 24 March 2015 08:10 CDT

Monday, 23 March 2015 05:39 CDT

tonnick
Hello

I am scanned for few days now, and here are the logs from an ip for exemple :

62.210.205.92 - - [23/Mar/2015:10:11:04 +0100] "GET /index.php/en/component/acymailing/captcha.html?acyformname=formAcymailing11931&val=911 HTTP/1.0" 200 1316 "http://www.myweb.com/index.php/en/ig-in-prepared-food/gis-market-watch/use-of-gis-in-a-prepared-food/slide3.html" "Mozilla/5.0 (Windows NT 5.1; rv:35.0) Gecko/20100101 Firefox/35.0"
62.210.205.92 - - [23/Mar/2015:10:11:04 +0100] "GET /index.php/en/component/acymailing/captcha.html?acyformname=formAcymailing11931&val=911 HTTP/1.0" 200 1225 "http://www.myweb.com/index.php/en/ig-in-prepared-food/gis-market-watch/use-of-gis-in-a-prepared-food/slide3.html" "Mozilla/5.0 (Windows NT 5.1; rv:35.0) Gecko/20100101 Firefox/35.0"
62.210.205.92 - - [23/Mar/2015:10:11:05 +0100] "GET /index.php/en/component/acymailing/captcha.html?acyformname=formAcymailing11931&val=911 HTTP/1.0" 200 1333 "http://www.myweb.com/index.php/en/ig-in-prepared-food/gis-market-watch/use-of-gis-in-a-prepared-food/slide3.html" "Mozilla/5.0 (Windows NT 5.1; rv:35.0) Gecko/20100101 Firefox/35.0"
62.210.205.92 - - [23/Mar/2015:10:11:05 +0100] "GET /index.php/en/component/acymailing/captcha.html?acyformname=formAcymailing11931&val=911 HTTP/1.0" 200 1264 "http://www.myweb.com/index.php/en/ig-in-prepared-food/gis-market-watch/use-of-gis-in-a-prepared-food/slide3.html" "Mozilla/5.0 (Windows NT 5.1; rv:35.0) Gecko/20100101 Firefox/35.0"

Would it be any option to block that at WAF level - using some ddos detection maybe, or no chance ? thx !

Monday, 23 March 2015 09:39 CDT

tampe125
TL;DR: Doing that using a Joomla! extension is a very poor choice. Instead, use CloudFlare or a similar service with your site.

And now the complete explanation.

No. In fact anyone who says that implementing anti-flood features in a Joomla! extension is a good idea has either no idea what they're talking about or lying profusely (or wants to sell their software, which falls in the "lying profusely" category). I can explain why.

An anti-flood feature will block users who are trying to access many URLs on your site (let call this number X) in a very short period of time (let's call it Y). This means that the site needs to keep track of which URLs are visited by an IP for a period of time which is at least marginally larger than the time period Y. In other words, for each and every request you need to:
  • Have Apache parse its internal configuration
  • Have Apache read and parse all .htaccess files applicable to the request
  • Apache passes the execution to PHP (ideally this will be a preloaded FastCGI process, typically it needs to waste a relatively big amount of time to create a new thread / process for a mod_php instance)
  • PHP needs to load its configuration and any user configuration overrides
  • Joomla! needs to be loaded off the disk and boot up
  • All Joomla! plugins have to run
  • We need to wait for MySQL to insert a record of the IP/URL pair of this visit
  • We need to wait for MySQL to return the number of IP or IP/URL instances recorded the last Y amount of time and then compare it with X
  • If it's larger than X we need to raise an exception which will be caught by Joomla!
  • Joomla! needs to load its error template, parse it into HTML and return it to Apache
  • Apache needs to push this data back to the browser


This takes a monumental amount of time, CPU, disk I/O and memory resources. The easiest way for someone to kill your site is having a few dozen computers all trying to visit the same URL 0.5 seconds apart. In other words: an anti-flood feature implemented in a Joomla! extension acts as a Denial of Service amplification vector.

Instead, what you need is something which sites BEFORE Apache and ideally before your server itself. This is why instead of implementing a bad feature which has the exact opposite effect than what you need we suggest using CloudFlare (or a similar service) instead.

CloudFlare is a CDN which sits between your users and your server. When it detects abnormal behaviour it will catch the requests, block them (with an explanatory message) and NOT forward the request to your server. This means that the real problem makers no longer have the opportunity to attack your server because they're caught in the CloudFlare net. This protection is only possible because CloudFlare is a third party service running outside your server. There is no way anyone can provide this kind of protection with software running on your server, especially with PHP-based software.

Davide Tampellini

Tuesday, 24 March 2015 07:06 CDT

tonnick
Hello Davide

yes you're right. I installed already fail2ban, but I cannot make it work properly against ddos.

I will have a look on cloudflare. thx for your complete explanation.

Tuesday, 24 March 2015 08:10 CDT

tampe125
You're welcome!

Davide Tampellini

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!