Pushdo: how we are mitigating the DDOS attack - File Tagging, Document Management

HELLO WORLD,

If you’re reading this, chances are you heard about Pushdo already. For the (lucky) rest of you, If your site starts using incredible many CPU resources and bandwidth, possible resulting in your hosting suspending your website or your web server becoming unusable, chances as you’re victim of a Pushdo attack (which of course is what is happening to this website as we speak). Without getting too technical, your site gets a DDOS attack, the Apache log files will look like this:

113.169.147.58 – – [11/Nov/2014:07:00:00 -0800] “POST /tabbles.net/ HTTP/1.1″ 403 223 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
187.194.130.108 – – [11/Nov/2014:07:00:00 -0800] “POST /tabbles.net/ HTTP/1.1″ 403 223 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
223.207.169.183 – – [11/Nov/2014:07:00:00 -0800] “POST /tabbles.net/ HTTP/1.1″ 403 223 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
212.156.210.13 – – [11/Nov/2014:07:00:00 -0800] “POST /tabbles.net/ HTTP/1.1″ 403 223 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
188.114.99.252 – – [11/Nov/2014:07:00:00 -0800] “POST /tabbles.net/ HTTP/1.1″ 403 223 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
91.238.202.254 – – [11/Nov/2014:07:00:00 -0800] “POST /tabbles.net/ HTTP/1.1″ 403 223 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”

Basically a flood of POST requests, all coming from agents “MSIE 6.0” and from thousands (or hundreds of thousands) of different IP addresses. What do you? IP filtering? not a chance. Caching/enhancing/making your site faster? Well, if you’re running your website on a dedicate Watson supercomputer, you may give it a try – else, not a chance. What did we do to help the situation and mitigate the attack?

1) A 403 redirect in the .htaccess for users on the MSIE 6.0 Agent: I created a file called pushdo.html in the root and added these lines in the .htaccess

# BEGIN antipushdo
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} “compatible ; MSIE 6.0” [OR]
RewriteRule .* – [F,L]
# END antipushdo

The drawback is that people using Internet Explorer 6.0, won’t be able to see your website – which shouldn’t be cause of much concern to most of you out there.

2) Use Cloudflare: this service looked to me as some kind of alchemy as I still can’t really figure out how it works… but I don’t really care as it works just fine 🙂 In order to set up yout site for it, you’ll need to have your DNS records to point at Cloudflare (instead at your hosting provider). Basically what Cloudflare does (as far I understand!) is creating cached mirrors on your website on several server, geographically far away from each other. Then it will redirect the traffic coming to your website, onto its different servers, effectively splitting the traffic and Apache workload… just like magic 🙂

So far, it seems the issue has been minizimed… but I still keep say an extra prayer about it every night.