From sca at andreasschulze.de Tue Nov 4 19:38:02 2025 From: sca at andreasschulze.de (A.Schulze) Date: Tue, 4 Nov 2025 20:38:02 +0100 Subject: [horde] bots hammer my instance Message-ID: <62441781-2dc9-450c-9aad-b0d7c5b76dcc@andreasschulze.de> Hello, I have a public accessible horde instance. Since years ... Of course, some remote hosts query my horde instance here and now and then. but this did not hurt. Last week a noted a significant performance impact. I activated some more logging and was surprised. In random 15 minutes, ~1000 different random clients query "/ horde / ansel / browse _ edit . php" (inserted spaces for "only human readability") I looked up some reverse dns names for some clients: all are named like the usual Dialup IPs. What's my reaction? First my strategy was to shortcut this specific requests. I no longer proxy the request to the app server. This solved my performance issue. I simply respond directly with "200 foo". This does not change the number of requests. Also responding with 404/503/whatever does not affect the number of requests *to this specific path* So I started to delay my response multiple seconds. tarpitting :-) Do you also see such request pattern? How do you handle it? Andreas From impuser at bitrealm.com Wed Nov 5 02:18:33 2025 From: impuser at bitrealm.com (Brent) Date: Tue, 04 Nov 2025 18:18:33 -0800 Subject: [horde] bots hammer my instance In-Reply-To: <62441781-2dc9-450c-9aad-b0d7c5b76dcc@andreasschulze.de> Message-ID: <20251104181833.Horde.Hl7-dwVw0bTD-o4DPzDW8xc@mail.bitrealm.com> There are a number of solutions to this sort of thing. 1) If the traffic is coming from a netblock range, you can block that. 2) If the traffic is coming from a particular country, you can block that. 3) If the traffic is coming from a particular bot, you can often find something similar about their handshake with your server that you can block by matching on that commonality: user-agent, cookie, Host response, etc. 4) If one ip is hammering away, you can limit the number of connections per client. How you block this does depend on your architecture. Linux can block netblock ranges with nftables. You can also use a combination of geoip and nftables to block countries. For layer 7 stuff like user-agent, you can front your horde installation with something like nginx. Nginx is highly configurable for this type of thing. The tricky part can be to find a commonality in this type of junk traffic you want to ignore. They still use bandwidth, so it can't help if it is a DDoS bandwidth attack, you'd need to work with your provider or front your site with a company that provides this level of anti-ddos protection. (read:  $$$ ) brent Quoting A.Schulze : > Hello, > > I have a public accessible horde instance. Since years ... > Of course, some remote hosts query my horde instance here and now > and then. but this did not hurt. > Last week a noted a significant performance impact. I activated some > more logging and was surprised. > > In random 15 minutes, ~1000 different random clients query "/ horde > / ansel / browse _ edit . php" > (inserted spaces for "only human readability") > I looked up some reverse dns names for some clients: all are named > like the usual Dialup IPs. > > What's my reaction? > First my strategy was to shortcut this specific requests. I no > longer proxy the request to the app server. > This solved my performance issue. I simply respond directly with > "200 foo". This does not change the number of requests. > Also responding with 404/503/whatever does not affect the number of > requests *to this specific path* > So I started to delay my response multiple seconds. tarpitting :-) > > Do you also see such request pattern? How do you handle it? > > Andreas > > -- > Horde mailing list > Frequently Asked Questions: http://horde.org/faq/To unsubscribe, > mail: horde-unsubscribe at lists.horde.org