AtoM DDOS challenge

[Chris Selwyn]

I have recently been the subject of a DDOS attack on my AtoM installation and I thought I would relate my experiences of getting it under control for the benefit of others.

The basic symptoms were that my server was running *really* slow and the disk was full. 

It took me quite some time to work out what was going on but I finally realised that the several million (yes... million!) PHP session files that were taking up about 20GB of disk space were being caused by many thousands of clients performing accesses to a number of URLs on my AtoM installation. Each access started a new PHP session and wrote a new PHP session file.

My first thought was to look at some sort of proxying solution and discovered that a Cloudflare free account might be able to help. I never really manage to fully protect my server with that method because my IP address was still exposed and the attackers could just simply not access my server via the Cloudflare servers. 

Then I looked around and found that there was apparently already some sort of defence against DDOS attacks as part of AtoM. However, my initial attempts always failed because the client was redirected to the path "/challenge" in my installation which did not exist. After some further investigation  I realised that there were two problems...
1) The installation instructions show installing behind Nginx. I found out that the Nginx instructions involved a configuration that would rewrite /challenge to a PHP file in the /web/challenge folder. The file did not exist in my installation that I did from the downloaded tarball. Again, after some more research, I realised that the file would be available if I downloaded an installation from Github.
2) I happen to use AtoM behind an Apache server and I had to work out how to achieve the /challenge rewrite using Apache's mod_rewrite.

The good news is that I seem to now have the DDOS under manageable control. The accesses still happen but no longer start PHP sessions because of the "short-circuiting" performed by the challenge. The accesses no longer take huge percentage of my server CPU time.

I have also installed a cron job that deletes old PHP session files.

Could I at least ask that Artefactual include the /web/challenge/index.php file in the tarball distribution?

If you would like to make use of the ASN or country exceptions then you will need an account on MaxMind's website so that you can keep an up-to-date local copy of the MMDB files. As far as I can tell the substitution of the %SF_ROOT_DIR% string in the appChallenge.yml file does not work but you will probably want to change those settings to wherever you are downloading the MMDB files to anyway.

I hope that this helps others out there.

Chris

[Sarah Mason]

Hi Chris,

First of all, thank you for sharing your workarounds and management of the DDOS attacks. I'm sure it will be useful for others.

As for the /web/challenge/index.php not being in the tarball installation, we will investigate it and come back with some updates for you. Out of curiosity, what version of AtoM are you using? The challenge was introduced in 2.10.0, so just making sure you are using that or later. Thank you for your feedback, it's very useful!

Best wishes,

Sarah Mason

Contributor Success Specialist

[Chris Selwyn]

I am using the latest (at writing) version of Atom being 2.10.1.

Chris