httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ServerForge Administration <ad...@serverforge.net>
Subject [users@httpd] DoS against apache
Date Mon, 30 Aug 2004 02:30:41 GMT
I have been getting a rather odd looking DoS attack against my 
webserver, it generates sod all traffic (less than a kilobyte a second) 
and yet it still seems able to totally knacker apache.

193.252.41.101 - - [29/Aug/2004:22:20:59 -0400] "NICK D3V1L-473163" 400 
- "-" "-"
193.251.84.227 - - [29/Aug/2004:22:20:59 -0400] "NICK D3V1L-41221787" 
400 - "-" "-"
81.84.107.76 - - [29/Aug/2004:22:21:00 -0400] "NICK D3V1L-2758617" 400 - 
"-" "-"
62.45.180.37 - - [29/Aug/2004:22:21:00 -0400] "NICK D3V1L-27328454" 400 
- "-" "-"
82.51.110.220 - - [29/Aug/2004:22:21:00 -0400] "NICK D3V1L-726043" 400 - 
"-" "-"
217.210.111.198 - - [29/Aug/2004:22:21:00 -0400] "NICK D3V1L-5142000" 
400 - "-" "-"
217.44.74.225 - - [29/Aug/2004:22:21:00 -0400] "NICK D3V1L-622283" 400 - 
"-" "-"

above is from the access.log, below is from the error.log (they are just 
snippets, not at any corresponding times)

[Sun Aug 29 22:28:46 2004] [error] [client 64.40.57.93] Invalid URI in 
request NICK D3V1L-020474
[Sun Aug 29 22:28:58 2004] [error] [client 81.56.161.90] Invalid URI in 
request NICK D3V1L-46221633
[Sun Aug 29 22:29:05 2004] [error] [client 145.99.226.50] Invalid URI in 
request NICK D3V1L-312544
[Sun Aug 29 22:29:06 2004] [error] [client 64.40.63.31] Invalid URI in 
request NICK D3V1L-50131468

I have written a script to filter out the hosts doing it, but yet the 
server still seems rather unresponsive (most requests timeout). I am 
running the stock debian install of apache 1.3.26-0woody5 if that is 
relivant, below is the script I wrote to filter the attack, it just runs 
on a 10 second loop and uses the logfile to pick out the IPs involved... 
messy but (normally) effective.

while [ true ]; do
for x in `cat /var/log/apache/access.log |grep D3V1L | awk '{print $1}'` ;
do
        iptables -A INPUT -s $x -j DROP
done
echo > /var/log/apache/access.log
sleep 10
done

My question really is does anyone know what this attack is, and does 
anyone know a better way to filter it... as 1kb a second of data should 
not be enough to floor apache.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message