0

I've had some DDoS issues - specifically the XML-RPC exploit (wordpress) wherein thousands on thousands of Wordpress instances attack my machine.

I have the following in my nginx server block: if ($http_user_agent ~ WordPress) { return 444; }

While it does terminate all of the wordpress connections, it still overloads the CPU.

Here are my server specs:

Ubuntu 16.04 LTS - E3-1230v5, 16G DDR4, and a SSD.

I would've assumed that it would be able to handle far more, but that doesn't appear to be the case. I have attempted to block the wordpress useragent automatically using fail2ban, but all that appeared to do is create a few thousand iptables rules and no end in sight.

Is there a more performant way to block this attack? Thanks.

Jenny D
  • 28,400
  • 21
  • 80
  • 117
night
  • 9

1 Answers1

1

Is Nginx overloading your CPU? Then you're being target of a sizeable DDoS attack. (Here's a nice explanation of the XML-RPC reflection attack with WordPress.)

I don't think you'll get a better result than what you've already done just with Nginx.

You can try using something like CloudFlare. Keep in mind, though, that you should change your IP to hide behind CloudFlare (if your attacker knows your IP, he/she can still circumvent CloudFlare by sending requests to your IP).

Pablo M
  • 298