DDOS attack on WordPress site with “/?s=some-random-text”

One common way in which hackers launch a DDOS on a wordpress site is to set GET requests for a search term “/?s=some-random-text”. Each request is processed by the server by checking in the database and returning a 404 result. Hundreds and thousands of these requests every second overwhelms the server and it is unable to process any requests.

The error.log shows “Error 502, no live upstreams while connecting to upstream”.

The top command shows that the server is at maximum load with mysql, php-fpm and nginx consuming 100% of the CPU.

The traffic statistics show a clear jump in the bandwidth used.

DDOS attack on wordpress site

One solution is to disable the search facility by either installing a plugin (Disable Search) or by adding code to the functions.php file.

One can also install CSF (Config Server Firewall) and turn on the DDOS protection in it. This protection blocks IPs which make more than the stipulated number of requests per second. These IPs are also put in the DENY list and are blocked.

Simultaneously, one can block requests for the search term by adding a rule in the site’s nginx config.

location ~ /?s=$
 {
     return 403;
 }

One can also add a redirect so that requests for the page are sent elsewhere:

 if ($args ~ "s=(.*)") {
              set $s $1;
              rewrite ^/(.*)$  http://your_domain.com/$1  permanent;
  }

The advantage of adding the block and redirect commands is that these get processed at the server level and do not burden the mysql server.

However, having said that, if the DDOS attack is large enough, even the block and redirect at the server level wll not work.

Leave a Reply

Your email address will not be published. Required fields are marked *