I’m no expert, but I had what feels like a minor victory this morning.
My BigV server seemed to be getting a lot of sustained traffic from a particular IP address in Israel. The system load repeatedly went through the roof. It went on for too long and I needed a neat way of blocking it, so I used ipset.
My main firewall is standard iptables. There is a feature that allows the use of ipset as an extension to your usual rules.
- ipset create hackers hash:ip
This creates a set named ‘hackers’ which can be populated with IP addresses to be blocked.
- ipset add hackers xxx.xxx.xxx.xxx
Add one or more IP addresses to the set.
- iptables -I INPUT 1 -m set --match-set hackers src -j DROP
Add a rule to iptables to use the set defined above and ‘drop’ the traffic.
That fixed it for me.
I don’t know how this scales, but for a few dozen sites with moderate traffic it seems to work just fine.
I hope that you may find this useful.