I'm experiencing a distributed attack targeting port 443 on my server. The attack has these characteristics:
What I've tried
What would be an effective approach to block this distributed attack at the firewall level before it reaches my webserver? I believe filtering at the server firewall level would be most effective, but I need specific implementation guidance.
Environment
- Originates from numerous random IP addresses
- Automatically rotates IPs when blocked
- Target requests consistently begin with "GET /moodlee/index.php?" followed by varying parameters
- Uses what appears to be a botnet with millions of IPs
What I've tried
- Implemented configuration connection rate limiting (2/sec) in LiteSpeed
- Applied similar limits in CSF firewall
- Activated CAPTCHA verification
- The attack distributes requests across millions of IPs
- New IPs immediately replace blocked ones
- Traffic floods the webserver despite CAPTCHA being active
What would be an effective approach to block this distributed attack at the firewall level before it reaches my webserver? I believe filtering at the server firewall level would be most effective, but I need specific implementation guidance.
Environment
- Web server: LiteSpeed
- Firewall: CSF
- Almalinux 8
