Home Data Center Series 2024.12.25 Attack Brief: The Largest DDoS Attack Record So Far

Attack Scale

From 3 to 6 a.m. today, we encountered a wave of DDoS attacks, which is the highest record so far and worth recording:

Number of attack requests:

image.png

Attack bandwidth:

image.png

Number of attackers:

image.png

Attacker source:

image.png

The top 3 IP addresses and number of attack requests initiated this time are:
image.png

Attack Types

This attack was a direct attack on the path "/wp-admin/admin-ajax.php", which really hurt me because the comment function of WordPress relies on ajax calls. I can't host a query on this path (otherwise I can't comment). The previous attack on my blog admin-ajax.php was mainly an indirect attack through TranslatePress to initiate ajax calls (see article:Home Data Center Series: Cracking the WordPress AJAX Protection Problem: Using Cloudflare Tunnel to "divide" normal website access and attack traffic), but I have already blocked that path. This time it was a direct attack, and most of it was blocked by Cloudflare:

image.png

However, there are still many attacks that do not reach the global rate limit and enter the intranet. These requests are filtered by the intranet WAF:

image.png

image.png

However, some requests still reached the origin server. The reason was that my tolerance for admin-ajax.php access was too high:

image.png

It seems that we can’t leave these openings anymore.


The "attack request count" and "attack bandwidth" mentioned earlier in the article both involve uncached "requests" or "bandwidth", which raises a question: why is there only 18.29k uncached requests in Cloudflare's statistics, but there are nearly 2 million requests on my intranet WAF? I think there are three possible reasons:

  • Cloudflare excludes requests that are blocked (e.g. triggering WAF rules, rate limiting, DDoS protection, etc.) from "uncached requests".
  • Attack tools may try the same resource (such as admin-ajax.php) multiple times, resulting in duplicate connections. For example, an attacker sends a request, receives a 429 or other restricted response, and the tool automatically retries. The origin server will record multiple times, but Cloudflare only counts the initial request.

This kind of details is not important.


Another 1: The statistics that can be viewed with a Cloudflare Free account are too few, which is quite annoying.

Another 2: The functions of the free intranet WAF are still too few. I previously removed the load balancing after the WAF because I felt it was a waste of resources, but now it seems that it is still necessary to add it.

Another 3: This time there was a problem with my blog, forcing me to spend 1 second restarting the docker of wordpress. I am an honest person and will never deny it, but it really doesn’t require much technical skills.

The content of the blog is original. Please indicate the source when reprinting! For more blog articles, you can go toSitemapUnderstand. The RSS address of the blog is:https://blog.tangwudi.com/feed, welcome to subscribe; if necessary, you can joinTelegram GroupDiscuss the problem together.

Comments

  1. Windows Edge 131.0.0.0
    2 weeks ago
    2024-12-26 9:15:32

    Cloudflare is pretty powerful. If you switch to a domestic CDN, you can get a bill in minutes.

    • Owner
      Yawata
      Macintosh Chrome 131.0.0.0
      2 weeks ago
      2024-12-26 16:15:52

      Yes, if we follow the price of Tencent Cloud CDN, 20 yuan for 100G, that would be 1,000.

Send Comment Edit Comment


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠(ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ°Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
Emoticons
Emoji
Little Dinosaur
flower!
Previous
Next
       

This site has disabled the right mouse button and various shortcut keys. The code block content can be copied directly by clicking the copy button in the upper right corner

en_US