"Proxy" http attack

Discussion in 'Installation/Configuration' started by gurumelo, Apr 4, 2024.

  1. gurumelo

    gurumelo New Member

    ISPConfig 3, debian, apache...
    I set up a simple site
    from outside:
    telnet newsite.com 80
    GET http://azenv.net/ HTTP/1.1
    Host: azenv.net
    [Enter twice]

    returns response!

    How can this behavior be solved?

    Last edited: Apr 4, 2024
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You did not mention which response it returns. Because a system that you ask for a wrong hostname must return the default host, and that's likely what you got as the response. But this is neither an attack nor proxy-related nor related to ISPConfig. When an Apache or Nginx HTTP server does not find a matching vhost, it will return the first website alphabetically, also known as the default vhost. If you want to make a specific website the default vhost of your system so that Apache returns this site in the case it has no better matching site, then create a site that's first in the alphabet, e.g., by giving it a domain like "000-default.tld" as a domain name.
    gurumelo likes this.
  3. gurumelo

    gurumelo New Member

    Thanks for the clarifications!
  4. gurumelo

    gurumelo New Member

    Mr. Till .
    If you have an attack with dozens of such requests (GET url or CONNECT url) every second from different IPs, what do you think would be a good way to solve it? like that

    Code: - - [05/Apr/2024:23:59:56 +0200] "CONNECT teamrrq.com:443:443 HTTP/1.1" 400 392 "-" "-"
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    One option is to use CloudFlare, their free account should be sufficient to prevent DOS attacks. Or you can use an apache module like mod-evasive, but CloudFlare is likely easier and more effective as mod_evasive does not work that well for DDOs where a lot of IP#s are involved.
    ahrasis and gurumelo like this.

Share This Page