Support #8576
openwt application using wthttpd that is currently suffering a DDOS attack
0%
Description
I have a wt application using wthttpd that is currently suffering a DDOS attack running on ubuntu 20.04 at http://gd.geobytes.com:80/GetCityDetails (Fortunately they are not hitting the HTTPS port yet - which at the time of writing was still operating.)
netstat shows about 4000 established connections from what appears to be spoofed IP Addresses as I can't traceroute back to them. What I am hoping for is a way to force-close these connections or cause them to timeout very quickly.
I have tried 2 in wt_config.xml
FYI: the wt application only uses classes derived from Wt::WResource, and does not derive from WApplication.
Any tips on how I might be able to either configure the server to withstand this kind of attack or how I might from within the code terminate an established connection as soon as I establish that it does not have a valid payload would be greatly appreciated.
In any case, thank you for your consideration.
Updated by Korneel Dumon almost 3 years ago
Hi Adrian,
I'm not an expert in these issues, so I may be missing something. But if you don't have WApplication
, Wt should not keep open connections. The timeout
parameter in wt_config.xml
is related to cleanup of dead WApplication
s. A WResource is generally not stateful and the request will end as soon as WResource::handleRequest()
is finished.
Updated by Adrian McElligott almost 3 years ago
Thanks Korneel,
I don't think that it exist, but what would be handy is a way to force close the underlying socket. As the DDOS uses HTTP1/1 "keep alive" to keep the connection open, they are overwhelming the server with connects to a WResource. They are not application-level connections. I wonder if anyone else has had to deal with this, and if so how they did it. My current thinking is to relocate from wthttpd to behind apache or nginx, and then to use some kind of WAF (web application firewall) extension or plugin from there.
Thanks again for your help, I appreciate it.
Kind Regards
Adrian