tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From DIGLLOYD INC <digllo...@diglloyd.com>
Subject hackers sending long URLs to probe site?
Date Thu, 24 Apr 2008 16:48:11 GMT
I've have to use a "deny" in a RemoteAddrValve to solve the following  
problem--

A normal URL for my site might be:

http://diglloyd.com/diglloyd/free/Eagles/Eagles.html
eg /diglloyd/free/Eagles/Eagles.html

(check it out if you want to see some unusual eagle photos)

But I see tons of 404 errors, with someone/thing from 62.42.21.210  
(ono.com) doing:

http://diglloyd.com/diglloyd/free/diglloyd/free/Eagles/Eagles.html
http://diglloyd.com/diglloyd/free/diglloyd/free/diglloyd/free/Eagles/Eagles.html
http://diglloyd.com/diglloyd/free/diglloyd/free/diglloyd/free/diglloyd/free/Eagles/Eagles.html
http://diglloyd.com/diglloyd/free/diglloyd/free/diglloyd/free/diglloyd/free/diglloyd/free/Eagles/Eagles.html
... ad nauseum...

Similar illegal variants are sent for all the other URLs on my site.

I also see illegal requests like this from several sites:

/diglloyd/blog-images/?S=A

Is there a weakness in Tomcat being probed here?
What is the best way to block such things? Ignore them since they just  
return 404 error anyway?  Write a filter to insert a long delay for  
blatantly wrong requests?

I'm not sure if that ono.com represents a single user or an entire  
ISP, so I'm loathe to block it entirely.

Lloyd

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message