[horde] bots hammer my instance

Brent impuser at bitrealm.com
Wed Nov 5 02:18:33 UTC 2025 

  There are a number of solutions to this sort of thing.

1) If the traffic is coming from a netblock range, you can block that.

2) If the traffic is coming from a particular country, you can block that.

3) If the traffic is coming from a particular bot, you can often find  
something similar about their handshake with your server that you can  
block by matching on that commonality: user-agent, cookie, Host  
response, etc.

4) If one ip is hammering away, you can limit the number of  
connections per client.

How you block this does depend on your architecture. Linux can block  
netblock ranges with nftables. You can also use a combination of geoip  
and nftables to block countries. For layer 7 stuff like user-agent,  
you can front your horde installation with something like nginx. Nginx  
is highly configurable for this type of thing. The tricky part can be  
to find a commonality in this type of junk traffic you want to ignore.  
They still use bandwidth, so it can't help if it is a DDoS bandwidth  
attack, you'd need to work with your provider or front your site with  
a company that provides this level of anti-ddos protection. (read:   
$$$ )

brent

Quoting A.Schulze <sca at andreasschulze.de>:

> Hello,
>
> I have a public accessible horde instance. Since years ...
> Of course, some remote hosts query my horde instance here and now  
> and then. but this did not hurt.
> Last week a noted a significant performance impact. I activated some  
> more logging and was surprised.
>
> In random 15 minutes, ~1000 different random clients query "/ horde  
> / ansel / browse _ edit . php"
> (inserted spaces for "only human readability")
> I looked up some reverse dns names for some clients: all are named  
> like the usual Dialup IPs.
>
> What's my reaction?
> First my strategy was to shortcut this specific requests. I no  
> longer proxy the request to the app server.
> This solved my performance issue. I simply respond directly with  
> "200 foo". This does not change the number of requests.
> Also responding with 404/503/whatever does not affect the number of  
> requests *to this specific path*
> So I started to delay my response multiple seconds. tarpitting :-)
>
> Do you also see such request pattern? How do you handle it?
>
> Andreas
>
> --
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/To unsubscribe,  
> mail: horde-unsubscribe at lists.horde.org

More information about the horde mailing list