Miscellaneous

DDoS

View Date	Last View Date	First View Date	Score	N	Page Id N	Ip Start	Ip Address 1	Ip Address 2	Ip Address N	Agent	Agent N
2025-05-07	2025-05-07 15:44:09	2025-05-07 15:23:30	0.0	132	56	92.49.	92.49.*.*	92.49.*.*	1	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0	1
2025-05-06	2025-05-06 11:17:33	2025-05-06 04:18:30	0.0	149	57	194.44.	194.44.*.*	194.44.*.*	1	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36	1
2025-05-05	2025-05-05 22:25:20	2025-05-05 05:06:03	2.0	133	49	162.120.	162.120.*.*	162.120.*.*	14	Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36	3
2025-05-02	2025-05-02 23:08:51	2025-05-02 02:49:00	2.0	350	95	162.120.	162.120.*.*	162.120.*.*	14	Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36	5
2025-04-30	2025-04-30 20:31:21	2025-04-30 04:21:35	2.0	100	38	162.120.	162.120.*.*	162.120.*.*	16	Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36	3
2025-04-30	2025-04-30 18:40:48	2025-04-30 02:02:18	2.0	107	33	193.186.	193.186.*.*	193.186.*.*	19	Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36	6
2025-04-28	2025-04-28 02:21:23	2025-04-28 02:20:18	2.0	143	1	82.23.	82.23.*.*	82.23.*.*	1	Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36	13
2025-04-25	2025-04-25 23:16:02	2025-04-25 06:45:38	1.0	121	53	176.123.	176.123.*.*	176.123.*.*	2	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36	1
2025-04-25	2025-04-25 16:14:07	2025-04-25 08:23:19	0.0	130	54	2.86.	2.86.*.*	2.86.*.*	1	Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0	1
2025-04-25	2025-04-25 11:14:32	2025-04-25 10:20:14	2.0	1112	3	81.19.	81.19.*.*	81.19.*.*	1	Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36	13

1 - 10 of 10

DDoS attacks (or Brute Force attacks or other bot-related behavior that amounts to the same thing) are becoming a bit of a problem for my server.
Thousands of requests per hour are too much for my modest setup, so I had to take some measures.
So I created a query to find suspicious IP addresses and/or User Agents using apex_workspace_activity_log. See the code below - I hid the complete IP addresses for privacy reasons.
If I identify an attack, I can add a "rewrite rule" to Apache (on my proxy server) to block an IP range or User Agent. More info on that here and here.

This is not ideal of course. A problem has to arise first, before I can act. But it's better than doing nothing.
I should look into other measures like Mod_evasive, Mod_security, Fail2ban, etc., but for now this sort of works.

Update May 2023:
Things were getting out of hand, so I installed ModSecurity on my Apache reverse proxy server (Apache 2.4 on AlmaLinux 8).
That turned out to be quite simple (after a few hours of trying all sorts of cookbooks that did not work...). Here's what I did:

dnf -y update
dnf -y install mod_security
dnf -y install mod_security_crs
systemctl restart httpd

You will need to deactivate ModSecurity from any machine/subnet that is allowed to use Apex Builder. Otherwise saving anything in the Apex Builder will result in a 403 error.
In my case I need to do this for IP 192.168.2.254, which is my internal router address.

vi /etc/httpd/modsecurity.d/local_rules/modsecurity_localrules.conf
# add this line:
SecRule REMOTE_ADDR "^192.168.2.254" id:1,phase:1,nolog,allow,ctl:ruleEngine=Off

You can check the log here:

tail -f /var/log/httpd/modsec_audit.log

And to check if it all works, perform an "illegal" request:

curl -d "id=1 AND 1=1" https://tedstruik-oracle.nl/ords/f?p=25384

which should return:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>

Page

Identification
	Page ID	1162
	Name	Miscellaneous - DDoS
	Page Alias	MISCELLANEOUS-DDOS

Region

Identification
	Sequence	10
	Title	DDoS
	Type	Interactive Report
Source
	Source Type	Interactive Report
	Region Source	select t.view_date ,t.last_view_date ,t.first_view_date ,t.n ,t.page_id_n ,t.ip_start ,substr(t.ip_address_1, 1, instr(t.ip_address_1,'.',1,2)-1) \|\| '.*.' as ip_address_1 ,substr(t.ip_address_2, 1, instr(t.ip_address_2,'.',1,2)-1) \|\| '..*' as ip_address_2 ,t.ip_address_n ,t.agent ,t.agent_n ,t.pk_id ,t.bot_type ,t.ip_from ,t.ip_to ,t.info_source ,t.user_agent_regex ,t.description ,t.score from ted_p1162_v t

View

View
	Name	TED_P1162_V
	DDL	with iv_a as ( select /+materialize / a.view_date , a.apex_session_id , max(a.ip_address) over (partition by a.apex_session_id) as ip_address , a.agent , a.page_id , a.page_name , a.elapsed_time from apex_workspace_activity_log a where a.application_id = nvl(nv('APP_ID'), 25384) ) , iv_b as ( select trunc(iv_a.view_date) as view_date -- Group by Day , max(iv_a.view_date) as last_view_date , min(iv_a.view_date) as first_view_date , count() as n -- number of requests , count(distinct iv_a.page_id) as page_id_n -- number of unique requested pages , substr(iv_a.ip_address, 1, instr(iv_a.ip_address, '.', 1, 2)) as ip_start -- first 2 numbers of the IP address, useful for attacks that use an IP range , min( substr(iv_a.ip_address, 1, instr(iv_a.ip_address, ',')-1) ) as ip_address_1 -- lowest IP address within the "first 2 numbers" group , max( substr(iv_a.ip_address, 1, instr(iv_a.ip_address, ',')-1) ) as ip_address_2 -- highest IP address within the "first 2 numbers" group , count(distinct iv_a.ip_address) as ip_address_n -- number of unique IP addresses within the "first 2 numbers" group , min(iv_a.agent) as agent -- an example of a User Agent used (there may be more than 1, but if so then it is not interesting) , count(distinct iv_a.agent) as agent_n -- number of unique User Agents within the "first 2 numbers" group from iv_a group by trunc(iv_a.view_date) , substr(iv_a.ip_address, 1, instr(iv_a.ip_address, '.', 1, 2)) ) , iv_c as ( select iv_b. , bot.* -- info from my Bots table (if applicable) from iv_b left join ted_access_log_bots bot on bot.pk_id = ted_access_log.bot_pk_id(p_ip_address => iv_b.ip_address_1, p_user_agent => iv_b.agent) where iv_b.n >= 100 -- 100 seems about right for my purposes ) select iv_c.view_date , iv_c.last_view_date , iv_c.first_view_date , iv_c.n , iv_c.page_id_n , iv_c.ip_start , iv_c.ip_address_1 , iv_c.ip_address_2 , iv_c.ip_address_n , iv_c.agent , iv_c.agent_n , iv_c.pk_id , iv_c.bot_type , iv_c.ip_from , iv_c.ip_to , iv_c.info_source , iv_c.user_agent_regex , iv_c.description , ( ( case when iv_c.agent_n > 1 then 1 else 0 end ) -- normal visitors have 1 user agent + ( case when iv_c.ip_address_n > 1 then 1 else 0 end ) -- normal visitors have 1 IP address + ( case when iv_c.page_id_n = 1 then 1 else 0 end ) -- normal visitors go to more than 1 page + ( case when iv_c.n >= 1000 then 1 else 0 end ) -- normal visitors do not visit 1000 pages ) * ( case when iv_c.pk_id is not null then .2 else 1 end ) -- bots are probably OK as score -- scores >= 2 are most likely a hit from iv_c

DDoS

Report Settings

Column Actions

Info

Code

Page

Region

View