Skip to Main Content

DDoS

View DateLast View DateFirst View DateScoreNPage Id NIp StartIp Address 1Ip Address 2Ip Address NAgentAgent NBot Pk IdBot TypeIp FromIp ToInfo SourceUser Agent RegexDescription
2023-06-042023-06-04 13:58:492023-06-04 13:22:470.011840156.223.156.223.***.***156.223.***.***1Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.361
2023-06-032023-06-03 04:42:082023-06-03 04:19:220.035183182.163.182.163.***.***182.163.***.***1Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.361
2023-06-022023-06-02 17:11:572023-06-02 07:40:531.01062194.26.194.26.***.***194.26.***.***1Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.2 (KHTML, like Gecko) Safari/125.72
2023-05-312023-05-31 17:18:142023-05-31 17:01:400.011242197.14.197.14.***.***197.14.***.***1Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.361
2023-05-302023-05-30 12:02:372023-05-30 11:55:330.016780119.148.119.148.***.***119.148.***.***1Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.01
2023-05-292023-05-29 20:01:432023-05-29 13:56:330.014943168.194.168.194.***.***168.194.***.***1Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.361
2023-05-292023-05-29 19:24:472023-05-29 14:45:000.01325685.192.85.192.***.***85.192.***.***1Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 YaBrowser/23.3.3.721 Yowser/2.5 Safari/537.361
2023-05-272023-05-27 02:26:052023-05-27 01:03:110.0930117185.138.185.138.***.***185.138.***.***1Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/73.01
2023-05-262023-05-26 20:37:482023-05-26 19:20:220.088363185.138.185.138.***.***185.138.***.***1Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/73.01
2023-05-262023-05-26 03:23:242023-05-26 02:49:520.018761202.150.202.150.***.***202.150.***.***1Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.361
  • 1 - 10 of 15

Info

DDoS attacks (or Brute Force attacks or other bot-related behavior that amounts to the same thing) are becoming a bit of a problem for my server.
Thousands of requests per hour are too much for my modest setup, so I had to take some measures.
So I created a query to find suspicious IP addresses and/or User Agents using apex_workspace_activity_log. See the code below - I hid the complete IP addresses for privacy reasons.
If I identify an attack, I can add a "rewrite rule" to Apache (on my proxy server) to block an IP range or User Agent. More info on that here and here.

This is not ideal of course. A problem has to arise first, before I can act. But it's better than doing nothing.
I should look into other measures like Mod_evasive, Mod_security, Fail2ban, etc., but for now this sort of works.

Update May 2023:
Things were getting out of hand, so I installed ModSecurity on my Apache reverse proxy server (Apache 2.4 on AlmaLinux 8).
That turned out to be quite simple (after a few hours of trying all sorts of cookbooks that did not work...). Here's what I did:
You will need to deactivate ModSecurity from any machine/subnet that is allowed to use Apex Builder. Otherwise saving anything in the Apex Builder will result in a 403 error.
In my case I need to do this for IP 192.168.2.254, which is my internal router address. You can check the log here: And to check if it all works, perform an "illegal" request: which should return:

Code

Page

Name
Page ID
Name
Page Alias

Region

Identification
Sequence
Title
Type
Source
Source Type
Region Source

View

View
Name
DDL