httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bob" <...@a1poweruser.com>
Subject RE: [users@httpd] limiting connections per ip address in apache2 whenunder attack
Date Thu, 21 Jun 2007 17:45:45 GMT


-----Original Message-----
Bob wrote:
> Is there a valid reason based on your web server content that people from
> China would be accessing your site?

Yes, we have a very large quantity of pdfs in Chinese. Converting them
to html would presumably reduce the load but I don't think the manpower
to do that is there.


> If this is a real attack then you were found by rolling through a whole
> block of ip address looking for a open port 80.
> Change your apache server to use different port say 7788 instead of port
80
> and then use the free www.zoneedit.com dns service to redirect all FQDN to
> your websit to include the new port.  From that point on only access to
your
> site would have to done through FQDN.  And all those attack port 80
packets
> would find no web server at port 80 ending this and future attacks leaving
> all your normal server request using your FQDN working as they do now.
This
> is called hiding in plain sight.
>

I'm not actually convinced it's an attack, rather than an incompetent
spider. Some of the hits come from referrers (other Chinese sites) which
have built up a long index of our files, and the spider which is causing
the problem is simply running repeatedly through those.

But it's an interesting idea; do you have any references from people who
have done this, what the potential snags are, etc?

Graham

From: graham [mailto:graham@theseamans.net]
Sent: Thursday, June 21, 2007 12:07 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] limiting connections per ip address in apache2
whenunder attack

I have been running my apache web server in the above described manner for 6
years now with out any problems. This technique is described in a apache
security book I have. I use a firewall to block inbound port 80 and see 20
to 150 daily unsolicited hits on port 80. These are all caused be people
scanning a block of ip address searching for open port 80. Once you are
found this way your ip address gets posted to news groups where underground
attackers share lists of ip address with open port 80. Once you have been
posted there, you will really see a large increase of PHP CONNECT attacks.

Since you are serving very large quantity of pdfs in Chinese it may just be
a matter of time until the China search engines get you indexed for the
first time then things should settle down to normal.

If this activity continues for more that 10 days then it's not normal search
engine indexing but really a attack designed to generate a denial of service
situation for your server to stop the Chinese public from accessing you. The
Chinese government is known to do this sort of thing to restrict their
citizen's access, specially if what you have is considered undesirable
information by the Chinese government. So what is the subject matter covered
by these Chinese pdf's ?????

Bob





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message