Support » Plugin: WP Job Manager » DoS attack using jm-ajax/get_listings to overload the server

  • Resolved dmpinder

    (@dmpinder)


    PPH ver: 7.4.3
    WP ver: 5.6.1
    Plugin ver: 1.35.0

    ===

    Hi there,

    We’ve got a client site using this plugin, and every few days the site is getting attacked from foreign IP addresses all sending POST requests to jm-ajax/get_listings.

    Here’s an example from our access log:

    162.158.158.127 - - [10/Apr/2021:17:49:41 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
    162.158.158.127 - - [10/Apr/2021:17:49:41 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
    162.158.158.127 - - [10/Apr/2021:17:49:41 +0100] "POST /jm-ajax/get_listings/ HTTP/2.0" 200 270 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
    162.158.158.127 - - [10/Apr/2021:17:49:41 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
    162.158.158.127 - - [10/Apr/2021:17:49:42 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
    162.158.158.127 - - [10/Apr/2021:17:49:42 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
    162.158.158.127 - - [10/Apr/2021:17:49:42 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
    162.158.158.127 - - [10/Apr/2021:17:49:42 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
    162.158.158.127 - - [10/Apr/2021:17:49:42 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
    162.158.158.127 - - [10/Apr/2021:17:49:42 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
    162.158.158.127 - - [10/Apr/2021:17:49:42 +0100] "POST /jm-ajax/get_listings/ HTTP/2.0" 200 270 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
    162.158.158.127 - - [10/Apr/2021:17:49:43 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
    162.158.158.127 - - [10/Apr/2021:17:49:43 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
    162.158.158.127 - - [10/Apr/2021:17:49:43 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
    162.158.158.127 - - [10/Apr/2021:17:49:43 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
    162.158.158.127 - - [10/Apr/2021:17:49:43 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
    162.158.158.127 - - [10/Apr/2021:17:49:43 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
    162.158.158.127 - - [10/Apr/2021:17:49:43 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
    162.158.158.127 - - [10/Apr/2021:17:49:44 +0100] "POST /jm-ajax/get_listings/ HTTP/1.1" 200 282 "https://www.website.com/vacancies/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"

    You can see there are multiple requests each second, which eventually overloads our server’s resources.

    We’ve put the site behind Cloudflare but it hasn’t prevented this attack (with the default Cloudlfare configuration).

    Our current workaround is to manually block the IP address for each attack, but every new attack is coming from a new IP.

    Can you suggest something we can try to mitigate this? Is there a way to limit POST requests to this URL to only the website itself?

    Thanks!

Viewing 5 replies - 1 through 5 (of 5 total)
  • good day dmpinder

    first of all: many thanks for stepping up the plate with your issue. I am very glad that you inform us.

    Though i do not have a concrete solution – i am glad that you post the issues here. I hope that the devs & the community will have a eye on these protocolls – and come up with a solution

    plz dear Dmpinder – keep us informed – and meanwhile all the best to you

    regards tangermaroc

    Plugin Support bindlegirl

    (@bindlegirl)

    Hi @dmpinder !

    I’m sorry about the trouble. Have you tried checking with your host if there is anything they can do to help with the attacks?

    In the meantime, I’ve asked our developers if they have any suggestions for you. We’ll let you know as soon as we hear back from them.

    Plugin Support bindlegirl

    (@bindlegirl)

    Hey @dmpinder ,

    Our developers suggested you check out the Cloudflare options to block requests based on IP reputation, or if that does not work, country:
    https://developers.cloudflare.com/firewall/recipes/block-ip-reputation

    This problem will need to get solved with some help from your host or (if the Cloudflare approach doesn’t help) by using a security/firewall plugin.

    Yeah there’s not much you can do on a programatic level, they could have just as easily been hitting ajax endpoint.

    You need to get with the hosting provider or setup WAF through CloudFlare for this. If you’re using a hosting company that supports mod_security that can be utilized as well.

    This is really something that needs to be handled at the network/server level, not necessarily application level as that would be like putting an old band-aide on an open wound that needs stitches

    Thread Starter dmpinder

    (@dmpinder)

    Hey @bindlegirl, thanks for the replies! We are hosting the site ourselves, so we are the support 😀

    I’ve already set up a country-level Cloudflare Challenge on the US because the website and company are based in the UK, which has effectively stopped it for now. We’ve also added fail2ban to the server to block repeated hits like this.

    Thanks for confirming there’s no real programmatic solution to it. I was curious whether it was possible to cache the query, if it isn’t already?

Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.