New Member

Question

Typhoeus filter?

Forum|Forum|10 years ago
August 27, 2015
5 replies
8190 views

We have a collection of web servers that are getting "blasted" by traffic by Typhoeus spiders. When I say "blasted", I mean over 1,500 requests/minute. The web admin was able to get the IP addresses for the sources, but they are all Amazon AWS addresses, which means we're only seeing the Amazon address, not the root/source address.

Of course, Amazon is no help, since they respond that "Amazon EC2 Public IP addresses may change ownership frequently, without additional information we will be unable to identify the correct owner of the IP address for the period of time in question". We've given them all kinds of log info, and modified the Apache servers to reject these requests, but we'd like to create a filter of some kind on the firewall itself.

Here's an example of some info from the request log:

"GET /en/util/conflict-of-interest.html HTTP/1.1" 403 - "-" "Typhoeus - https://github.com/typhoeus/typhoeus" 227 -

I'm not a FortiGate expert of any kind...does anyone know if there's current Typhoeus filter of some kind available, or failing that, if a filter for this can be created?

rict

xinger

New Member

I'm no expert either. Here's a manual for do-it-yourself...

http://video.fortinet.com/uploads/documents/IPS%20Signature%20Syntax%20Guide.pdf

Or options for having Fortinet to do it for you...

http://www.fortiguard.com/more/fortiguardpremier

I don't have experience with either way. Good luck.

emnoc

New Member

I have to agreed , writing a simple IPS filter with a ban action and expiration is what I would do.

Here's a few examples;

http://socpuppet.blogspot...es-fortinet-style.html

http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/ips_signatures.153.44.html

http://socpuppet.blogspot.nl/2014/08/how-to-write-ips-signature-to-block.html

Since the sources are many and from AWS, you could maybe narrowed it down to those ranges but it's interesting as to why your webservices are being hit and from only AWS addresses?

gschmitt

New Member

rict wrote:
"Amazon EC2 Public IP addresses may change ownership frequently, without additional information we will be unable to identify the correct owner of the IP address for the period of time in question".

WTF? Is that even legal?

emnoc

New Member

And what would you do differently if you knew who the owner was ?

Regardless of the owner information, he has a small HTTP_GET flood taking place. He's best bet is to mitigate b4 nailing up a front-end DDoS Proxy-mitigator serviecs & to write a IPS rule that Bans and BL the src_ipv4 address for a controlled amount of time and hope the attack sources that could be just infected dies down and go away.

ken

ede_pfau

SuperUser

Why not keep it simple and create a flood DoS policy? Easy if you're using v5.2.x. Type would be "TCP flood" which is not very specific, i.e. not HTTP specific. But at that rate you would catch that source IP anyway. Then action=block, not even quarantine.

Regarding Fortinet support, we've had posts here in the forums where Fortinet support wrote an ad-hoc IPS filter for a customer. As I understood at that time, within the limits of a support case. Would be worth a try if the above doesn't work for you.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded