Skip to Main Content

DDoS

View DateLast View DateFirst View DateScoreNPage Id NIp StartIp Address 1Ip Address 2Ip Address NAgentAgent NBot Pk IdBot TypeIp FromIp ToInfo SourceUser Agent RegexDescription
2023-10-012023-10-01 20:23:342023-10-01 19:54:370.01285588.217.88.217.***.***88.217.***.***1Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.361
2023-09-302023-09-30 14:07:412023-09-30 13:33:560.010448114.198.114.198.***.***114.198.***.***1Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.361
2023-09-282023-09-28 12:59:372023-09-28 09:28:351.010337101.50.101.50.***.***101.50.***.***1Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.432
2023-09-272023-09-27 05:09:072023-09-27 04:53:390.011948119.30.119.30.***.***119.30.***.***1Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.361
2023-09-262023-09-26 10:18:332023-09-26 09:59:070.010132120.72.120.72.***.***120.72.***.***1Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.361
2023-09-262023-09-26 09:38:462023-09-26 04:38:130.011143180.151.180.151.***.***180.151.***.***1Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.361
2023-09-262023-09-26 07:49:052023-09-26 06:29:180.01459544.230.44.230.***.***44.230.***.***1TinyTestBot1
2023-09-262023-09-26 07:48:542023-09-26 06:29:100.01249352.25.52.25.***.***52.25.***.***1TinyTestBot1
2023-09-262023-09-26 07:47:472023-09-26 06:30:550.0159105100.21.100.21.***.***100.21.***.***1TinyTestBot1
2023-09-252023-09-25 11:50:122023-09-25 10:52:460.016263103.251.103.251.***.***103.251.***.***1Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.361
  • 1 - 10 of 17

Info

DDoS attacks (or Brute Force attacks or other bot-related behavior that amounts to the same thing) are becoming a bit of a problem for my server.
Thousands of requests per hour are too much for my modest setup, so I had to take some measures.
So I created a query to find suspicious IP addresses and/or User Agents using apex_workspace_activity_log. See the code below - I hid the complete IP addresses for privacy reasons.
If I identify an attack, I can add a "rewrite rule" to Apache (on my proxy server) to block an IP range or User Agent. More info on that here and here.

This is not ideal of course. A problem has to arise first, before I can act. But it's better than doing nothing.
I should look into other measures like Mod_evasive, Mod_security, Fail2ban, etc., but for now this sort of works.

Update May 2023:
Things were getting out of hand, so I installed ModSecurity on my Apache reverse proxy server (Apache 2.4 on AlmaLinux 8).
That turned out to be quite simple (after a few hours of trying all sorts of cookbooks that did not work...). Here's what I did:
You will need to deactivate ModSecurity from any machine/subnet that is allowed to use Apex Builder. Otherwise saving anything in the Apex Builder will result in a 403 error.
In my case I need to do this for IP 192.168.2.254, which is my internal router address. You can check the log here: And to check if it all works, perform an "illegal" request: which should return:

Code

Page

Name
Page ID
Name
Page Alias

Region

Identification
Sequence
Title
Type
Source
Source Type
Region Source

View

View
Name
DDL