|
»
»
Server Attack
|
View:
New views
11 Messages
—
Rating Filter:
Alert me
|
 |
Server Attack
by Andrew Rosolino
::
Rate this Message:
Hi someone is currently sending requests to our server 20x a second.
Here is what one of the logs look like. [CODE] Host: 84.77.19.46 /signUp.php?ref=1945777 Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in Bytes: - Referer: - Agent: Mozilla/5.0 (Macintosh; MTQ; PPC Mac OS X; en-US) AppleWebKit/578.4 (KHTML, like Geco, Safari) OmniWeb/v643.68e=C: Host: 82.234.98.65 /signUp.php?ref=ec0lag Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in Bytes: - Referer: - Agent: Mozilla/5.0 (Macintosh; CDB; PPC Mac OS X; en-US) AppleWebKit/126.0 (KHTML, like Geco, Safari) OmniWeb/v554.35 Host: 84.94.31.161 /signUp.php?ref=ec0lag Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in Bytes: - Referer: - Agent: Mozilla/5.0 (Macintosh; TLD; PPC Mac OS X; en-US) AppleWebKit/502.6 (KHTML, like Geco, Safari) OmniWeb/v401.63ive=C: Host: 81.49.24.92 /signUp.php?ref=1945777 Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in Bytes: - Referer: - Agent: Mozilla/5.0 (Macintosh; SZS; PPC Mac OS X; en-US) AppleWebKit/230.1 (KHTML, like Geco, Safari) OmniWeb/v710.56ive=C: Host: 80.129.248.17 /signUp.php?ref=1945777 Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in Bytes: - Referer: - Agent: Mozilla/5.0 (Macintosh; OST; PPC Mac OS X; en-US) AppleWebKit/243.6 (KHTML, like Geco, Safari) OmniWeb/v846.88 Host: 87.235.49.194 /signUp.php?ref=ec0lag Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.1 Size in Bytes: - Referer: - Agent: Mozilla/5.0 (Macintosh; SDD; PPC Mac OS X; en-US) AppleWebKit/430.1 (KHTML, like Geco, Safari) OmniWeb/v145.34 Host: 125.129.12.61 /signUp.php?ref=1945777 Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in Bytes: - Referer: - Agent: Mozilla/5.0 (Macintosh; WCG; PPC Mac OS X; en-US) AppleWebKit/455.3 (KHTML, like Geco, Safari) OmniWeb/v042.84stemDrive=\x81 Host: 66.110.153.47 /signUp.php?ref=ec0lag Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in Bytes: - Referer: - Agent: Mozilla/5.0 (Macintosh; ZAM; PPC Mac OS X; en-US) AppleWebKit/387.2 (KHTML, like Geco, Safari) OmniWeb/v456.02ve=C: Host: 62.2.177.250 /signUp.php?ref=ec0lag Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in Bytes: - Referer: - Agent: Mozilla/5.0 (Macintosh; LMZ; PPC Mac OS X; en-US) AppleWebKit/206.1 (KHTML, like Geco, Safari) OmniWeb/v204.07es Host: 200.115.226.143 /signUp.php?ref=1945777 Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.1 Size in Bytes: - Referer: - Agent: Mozilla/5.0 (Macintosh; EDE; PPC Mac OS X; en-US) AppleWebKit/647.0 (KHTML, like Geco, Safari) OmniWeb/v760.47emDrive=C:\x81 Host: 84.171.125.189 /signUp.php?ref=1945777 Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.0 Size in Bytes: - Referer: - Agent: Mozilla/5.0 (Macintosh; QHA; PPC Mac OS X; en-US) AppleWebKit/778.0 (KHTML, like Geco, Safari) OmniWeb/v456.03=C: Host: 83.242.79.70 /signUp.php?ref=1945777 Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.0 Size in Bytes: - Referer: - Agent: Mozilla/5.0 (Macintosh; GFS; PPC Mac OS X; en-US) AppleWebKit/537.0 (KHTML, like Geco, Safari) OmniWeb/v313.01rive=C: Host: 86.69.194.172 /signUp.php?ref=ec0lag Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.0 Size in Bytes: - Referer: - Agent: Mozilla/5.0 (Macintosh; ZCV; PPC Mac OS X; en-US) AppleWebKit/468.2 (KHTML, like Geco, Safari) OmniWeb/v026.14stemDrive=\x81 Host: 196.203.176.26 /signUp.php?ref=ec0lag Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.1 Size in Bytes: - Referer: - Agent: Mozilla/5.0 (Macintosh; BXT; PPC Mac OS X; en-US) AppleWebKit/840.3 (KHTML, like Geco, Safari) OmniWeb/v767.50s Host: 201.41.241.190 /signUp.php?ref=1945777 Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.0 Size in Bytes: - Referer: - Agent: Mozilla/5.0 (Macintosh; TYZ; PPC Mac OS X; en-US) AppleWebKit/742.0 (KHTML, like Geco, Safari) OmniWeb/v715.65C: Host: 200.84.144.234 /signUp.php?ref=ec0lag Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.1 Size in Bytes: - Referer: - Agent: Mozilla/5.0 [/CODE] We are currently blocking this user through our Apache. .htaccess [CODE] RewriteEngine On RewriteCond %{HTTP_USER_AGENT} ^Mozilla/5\.0\ \(Macintosh;\ (.+)\ PPC\ Mac\ OS\ X;\ en-US\)\ AppleWebKit/(.+)\ \(KHTML,\ like\ Geco,\ Safari\)\ OmniWeb/v([0-9]+).([0-9]+)(.+)$ RewriteRule .* - [F] [/CODE] That works fine and is giving the user a 403 (Forbidden), but the problem is that half of our Apache processes are from this user. Is there a way to block his user agent before he gets to Apache? Sometimes this brings our server to a crash. Thanks Andrew |
|
|
Re: Server Attack
by Chris Largret
::
Rate this Message:
I'm going to go ahead and top-post on this (sorry). There has to be a limited number of computers these requests are coming from since the requests are coming over TCP. I'd write a quick script to grab the ip addresses and block them at the firewall level. Maybe something like this: tail -f /var/log/apache/access_log|grep AppleWebKit|cut '-d ' -f 1|xargs /sbin/iptables -A INPUT -p tcp -j DROP -s I haven't tested it (don't have a problem on my current server), but it _should_ follow the Apache requests, grab the IP addresses of users with a UserAgent of AppleWebKit and drop all TCP packets from the IP address until you reset your firewall. ~ Chris Largret On Sun, 27 Aug 2006 14:58:37 -0700 (PDT) altendew <andrew@...> wrote: > > Hi someone is currently sending requests to our server 20x a second. > > Here is what one of the logs look like. > > [CODE] > Host: 84.77.19.46 /signUp.php?ref=1945777 > Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in > Bytes: - > Referer: - > Agent: Mozilla/5.0 (Macintosh; MTQ; PPC Mac OS X; en-US) AppleWebKit/578.4 > (KHTML, like Geco, Safari) OmniWeb/v643.68e=C: > > Host: 82.234.98.65 /signUp.php?ref=ec0lag > Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in > Bytes: - > Referer: - > Agent: Mozilla/5.0 (Macintosh; CDB; PPC Mac OS X; en-US) AppleWebKit/126.0 > (KHTML, like Geco, Safari) OmniWeb/v554.35 > > Host: 84.94.31.161 /signUp.php?ref=ec0lag > Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in > Bytes: - > Referer: - > Agent: Mozilla/5.0 (Macintosh; TLD; PPC Mac OS X; en-US) AppleWebKit/502.6 > (KHTML, like Geco, Safari) OmniWeb/v401.63ive=C: > > Host: 81.49.24.92 /signUp.php?ref=1945777 > Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in > Bytes: - > Referer: - > Agent: Mozilla/5.0 (Macintosh; SZS; PPC Mac OS X; en-US) AppleWebKit/230.1 > (KHTML, like Geco, Safari) OmniWeb/v710.56ive=C: > > Host: 80.129.248.17 /signUp.php?ref=1945777 > Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in > Bytes: - > Referer: - > Agent: Mozilla/5.0 (Macintosh; OST; PPC Mac OS X; en-US) AppleWebKit/243.6 > (KHTML, like Geco, Safari) OmniWeb/v846.88 > > Host: 87.235.49.194 /signUp.php?ref=ec0lag > Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.1 Size in > Bytes: - > Referer: - > Agent: Mozilla/5.0 (Macintosh; SDD; PPC Mac OS X; en-US) AppleWebKit/430.1 > (KHTML, like Geco, Safari) OmniWeb/v145.34 > > Host: 125.129.12.61 /signUp.php?ref=1945777 > Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in > Bytes: - > Referer: - > Agent: Mozilla/5.0 (Macintosh; WCG; PPC Mac OS X; en-US) AppleWebKit/455.3 > (KHTML, like Geco, Safari) OmniWeb/v042.84stemDrive=\x81 > > Host: 66.110.153.47 /signUp.php?ref=ec0lag > Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in > Bytes: - > Referer: - > Agent: Mozilla/5.0 (Macintosh; ZAM; PPC Mac OS X; en-US) AppleWebKit/387.2 > (KHTML, like Geco, Safari) OmniWeb/v456.02ve=C: > > Host: 62.2.177.250 /signUp.php?ref=ec0lag > Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in > Bytes: - > Referer: - > Agent: Mozilla/5.0 (Macintosh; LMZ; PPC Mac OS X; en-US) AppleWebKit/206.1 > (KHTML, like Geco, Safari) OmniWeb/v204.07es > > Host: 200.115.226.143 /signUp.php?ref=1945777 > Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.1 Size in > Bytes: - > Referer: - > Agent: Mozilla/5.0 (Macintosh; EDE; PPC Mac OS X; en-US) AppleWebKit/647.0 > (KHTML, like Geco, Safari) OmniWeb/v760.47emDrive=C:\x81 > > Host: 84.171.125.189 /signUp.php?ref=1945777 > Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.0 Size in > Bytes: - > Referer: - > Agent: Mozilla/5.0 (Macintosh; QHA; PPC Mac OS X; en-US) AppleWebKit/778.0 > (KHTML, like Geco, Safari) OmniWeb/v456.03=C: > > Host: 83.242.79.70 /signUp.php?ref=1945777 > Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.0 Size in > Bytes: - > Referer: - > Agent: Mozilla/5.0 (Macintosh; GFS; PPC Mac OS X; en-US) AppleWebKit/537.0 > (KHTML, like Geco, Safari) OmniWeb/v313.01rive=C: > > Host: 86.69.194.172 /signUp.php?ref=ec0lag > Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.0 Size in > Bytes: - > Referer: - > Agent: Mozilla/5.0 (Macintosh; ZCV; PPC Mac OS X; en-US) AppleWebKit/468.2 > (KHTML, like Geco, Safari) OmniWeb/v026.14stemDrive=\x81 > > Host: 196.203.176.26 /signUp.php?ref=ec0lag > Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.1 Size in > Bytes: - > Referer: - > Agent: Mozilla/5.0 (Macintosh; BXT; PPC Mac OS X; en-US) AppleWebKit/840.3 > (KHTML, like Geco, Safari) OmniWeb/v767.50s > > Host: 201.41.241.190 /signUp.php?ref=1945777 > Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.0 Size in > Bytes: - > Referer: - > Agent: Mozilla/5.0 (Macintosh; TYZ; PPC Mac OS X; en-US) AppleWebKit/742.0 > (KHTML, like Geco, Safari) OmniWeb/v715.65C: > > Host: 200.84.144.234 /signUp.php?ref=ec0lag > Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.1 Size in > Bytes: - > Referer: - > Agent: Mozilla/5.0 > [/CODE] > > We are currently blocking this user through our Apache. > > .htaccess > [CODE] > RewriteEngine On > RewriteCond %{HTTP_USER_AGENT} ^Mozilla/5\.0\ \(Macintosh;\ (.+)\ PPC\ Mac\ > OS\ X;\ en-US\)\ AppleWebKit/(.+)\ \(KHTML,\ like\ Geco,\ Safari\)\ > OmniWeb/v([0-9]+).([0-9]+)(.+)$ > RewriteRule .* - [F] > [/CODE] > > That works fine and is giving the user a 403 (Forbidden), but the problem is > that half of our Apache processes are from this user. > > Is there a way to block his user agent before he gets to Apache? Sometimes > this brings our server to a crash. > > Thanks > Andrew > -- > View this message in context: http://www.nabble.com/Server-Attack-tf2174025.html#a6011508 > Sent from the linux-kernel forum at Nabble.com. > > - > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@... > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ -- Chris Largret <http://www.largret.com> - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@... More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ |
|
|
Re: Server Attack
by Andrew Rosolino
::
Rate this Message:
I was actually thinking about that but arn't all those IPs spoofed? Could an innocent user have that IP address? Is it possible that he is randomly generating those IPs or is that impossible. Also most of those IPs are telecom servers.
|
|
|
Re: Server Attack
by jmerkey-3
::
Rate this Message:
altendew wrote:
>Hi someone is currently sending requests to our server 20x a second. > >Here is what one of the logs look like. > >[CODE] >Host: 84.77.19.46 /signUp.php?ref=1945777 > Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in >Bytes: - > Referer: - > Agent: Mozilla/5.0 (Macintosh; MTQ; PPC Mac OS X; en-US) AppleWebKit/578.4 >(KHTML, like Geco, Safari) OmniWeb/v643.68e=C: > >Host: 82.234.98.65 /signUp.php?ref=ec0lag > Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in >Bytes: - > Referer: - > Agent: Mozilla/5.0 (Macintosh; CDB; PPC Mac OS X; en-US) AppleWebKit/126.0 >(KHTML, like Geco, Safari) OmniWeb/v554.35 > >Host: 84.94.31.161 /signUp.php?ref=ec0lag > Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in >Bytes: - > Referer: - > Agent: Mozilla/5.0 (Macintosh; TLD; PPC Mac OS X; en-US) AppleWebKit/502.6 >(KHTML, like Geco, Safari) OmniWeb/v401.63ive=C: > >Host: 81.49.24.92 /signUp.php?ref=1945777 > Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in >Bytes: - > Referer: - > Agent: Mozilla/5.0 (Macintosh; SZS; PPC Mac OS X; en-US) AppleWebKit/230.1 >(KHTML, like Geco, Safari) OmniWeb/v710.56ive=C: > >Host: 80.129.248.17 /signUp.php?ref=1945777 > Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in >Bytes: - > Referer: - > Agent: Mozilla/5.0 (Macintosh; OST; PPC Mac OS X; en-US) AppleWebKit/243.6 >(KHTML, like Geco, Safari) OmniWeb/v846.88 > >Host: 87.235.49.194 /signUp.php?ref=ec0lag > Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.1 Size in >Bytes: - > Referer: - > Agent: Mozilla/5.0 (Macintosh; SDD; PPC Mac OS X; en-US) AppleWebKit/430.1 >(KHTML, like Geco, Safari) OmniWeb/v145.34 > >Host: 125.129.12.61 /signUp.php?ref=1945777 > Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in >Bytes: - > Referer: - > Agent: Mozilla/5.0 (Macintosh; WCG; PPC Mac OS X; en-US) AppleWebKit/455.3 >(KHTML, like Geco, Safari) OmniWeb/v042.84stemDrive=\x81 > >Host: 66.110.153.47 /signUp.php?ref=ec0lag > Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in >Bytes: - > Referer: - > Agent: Mozilla/5.0 (Macintosh; ZAM; PPC Mac OS X; en-US) AppleWebKit/387.2 >(KHTML, like Geco, Safari) OmniWeb/v456.02ve=C: > >Host: 62.2.177.250 /signUp.php?ref=ec0lag > Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in >Bytes: - > Referer: - > Agent: Mozilla/5.0 (Macintosh; LMZ; PPC Mac OS X; en-US) AppleWebKit/206.1 >(KHTML, like Geco, Safari) OmniWeb/v204.07es > >Host: 200.115.226.143 /signUp.php?ref=1945777 > Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.1 Size in >Bytes: - > Referer: - > Agent: Mozilla/5.0 (Macintosh; EDE; PPC Mac OS X; en-US) AppleWebKit/647.0 >(KHTML, like Geco, Safari) OmniWeb/v760.47emDrive=C:\x81 > >Host: 84.171.125.189 /signUp.php?ref=1945777 > Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.0 Size in >Bytes: - > Referer: - > Agent: Mozilla/5.0 (Macintosh; QHA; PPC Mac OS X; en-US) AppleWebKit/778.0 >(KHTML, like Geco, Safari) OmniWeb/v456.03=C: > >Host: 83.242.79.70 /signUp.php?ref=1945777 > Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.0 Size in >Bytes: - > Referer: - > Agent: Mozilla/5.0 (Macintosh; GFS; PPC Mac OS X; en-US) AppleWebKit/537.0 >(KHTML, like Geco, Safari) OmniWeb/v313.01rive=C: > >Host: 86.69.194.172 /signUp.php?ref=ec0lag > Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.0 Size in >Bytes: - > Referer: - > Agent: Mozilla/5.0 (Macintosh; ZCV; PPC Mac OS X; en-US) AppleWebKit/468.2 >(KHTML, like Geco, Safari) OmniWeb/v026.14stemDrive=\x81 > >Host: 196.203.176.26 /signUp.php?ref=ec0lag > Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.1 Size in >Bytes: - > Referer: - > Agent: Mozilla/5.0 (Macintosh; BXT; PPC Mac OS X; en-US) AppleWebKit/840.3 >(KHTML, like Geco, Safari) OmniWeb/v767.50s > >Host: 201.41.241.190 /signUp.php?ref=1945777 > Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.0 Size in >Bytes: - > Referer: - > Agent: Mozilla/5.0 (Macintosh; TYZ; PPC Mac OS X; en-US) AppleWebKit/742.0 >(KHTML, like Geco, Safari) OmniWeb/v715.65C: > >Host: 200.84.144.234 /signUp.php?ref=ec0lag > Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.1 Size in >Bytes: - > Referer: - > Agent: Mozilla/5.0 >[/CODE] > >We are currently blocking this user through our Apache. > >.htaccess >[CODE] >RewriteEngine On >RewriteCond %{HTTP_USER_AGENT} ^Mozilla/5\.0\ \(Macintosh;\ (.+)\ PPC\ Mac\ >OS\ X;\ en-US\)\ AppleWebKit/(.+)\ \(KHTML,\ like\ Geco,\ Safari\)\ >OmniWeb/v([0-9]+).([0-9]+)(.+)$ >RewriteRule .* - [F] >[/CODE] > >That works fine and is giving the user a 403 (Forbidden), but the problem is >that half of our Apache processes are from this user. > >Is there a way to block his user agent before he gets to Apache? Sometimes >this brings our server to a crash. > >Thanks >Andrew > > - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@... More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ |
|
|
Re: Server Attack
by Andrew Rosolino
::
Rate this Message:
This does not spit anything out.
I have changed it to this. tail -f /usr/local/apache/domlogs/leapcash.com|grep 'GET /signUp.php?ref=ec0lag'|cut '-d ' -f 1|xargs /sbin/iptables -A INPUT -p tcp -j DROP -s When I run this tail -f /usr/local/apache/domlogs/leapcash.com|grep 'GET /signUp.php?ref=ec0lag'|cut '-d ' -f 1 it lists the IPs fine.. when I run tail -f /usr/local/apache/domlogs/leapcash.com|grep 'GET /signUp.php?ref=ec0lag'|cut '-d ' -f 1|xargs /sbin/iptables -A INPUT -p tcp -j DROP -s It doesnt spit out anything, how do I kno its working.
|
|
|
Re: Server Attack
by Andrew Rosolino
::
Rate this Message:
This works!!
tail -f /usr/local/apache/domlogs/leapcash.com|grep 'GET /signUp.php?ref=ec0lag'|cut '-d ' -f 1|xargs -i /sbin/iptables -v -A INPUT -p tcp -j DROP -s {} Thanks man I fully understand this query now. You helped me understand this linux. I just looked up these commands and went along.
|
|
|
[OT] Re: Server Attack
by Willy Tarreau-3
::
Rate this Message:
On Sun, Aug 27, 2006 at 09:38:44PM -0700, altendew wrote:
> > This works!! > > tail -f /usr/local/apache/domlogs/leapcash.com|grep 'GET > /signUp.php?ref=ec0lag'|cut '-d ' -f 1|xargs -i /sbin/iptables -v -A INPUT > -p tcp -j DROP -s {} > > Thanks man I fully understand this query now. You helped me understand this > linux. I just looked up these commands and went along. If this '/signUp.php' request is invalid for your site, you might also want to use the string match from iptables to block it before it reaches your server (in combination with very short request timeouts). You should probably add the complementary rule in your OUTPUT string, matching the attacker with -d $ip and send them to the REJECT target to ensure that your apache server will have all its connections cleanly closed. Otherwise you may end up with hundreds/thousands of FIN_WAIT sockets monopolizing processes. Shortening request timeouts and disabling keepalive will help a lot too. I can also give you some tricks off-list for a more complex setup if you want. Good luck, Willy > altendew wrote: > > > > This does not spit anything out. > > > > I have changed it to this. > > > > tail -f /usr/local/apache/domlogs/leapcash.com|grep 'GET > > /signUp.php?ref=ec0lag'|cut '-d ' -f 1|xargs /sbin/iptables -A INPUT -p > > tcp -j DROP -s > > > > When I run this > > > > tail -f /usr/local/apache/domlogs/leapcash.com|grep 'GET > > /signUp.php?ref=ec0lag'|cut '-d ' -f 1 > > > > it lists the IPs fine.. when I run > > > > tail -f /usr/local/apache/domlogs/leapcash.com|grep 'GET > > /signUp.php?ref=ec0lag'|cut '-d ' -f 1|xargs /sbin/iptables -A INPUT -p > > tcp -j DROP -s > > > > It doesnt spit out anything, how do I kno its working. > > > > Chris Largret wrote: > >> > >> > >> I'm going to go ahead and top-post on this (sorry). There has to be a > >> limited number of computers these requests are coming from since the > >> requests are coming over TCP. I'd write a quick script to grab the ip > >> addresses and block them at the firewall level. Maybe something like > >> this: > >> > >> tail -f /var/log/apache/access_log|grep AppleWebKit|cut '-d ' -f 1|xargs > >> /sbin/iptables -A INPUT -p tcp -j DROP -s > >> > >> I haven't tested it (don't have a problem on my current server), but it > >> _should_ follow the Apache requests, grab the IP addresses of users with > >> a UserAgent of AppleWebKit and drop all TCP packets from the IP address > >> until you reset your firewall. > >> > >> ~ Chris Largret > >> > >> > >> On Sun, 27 Aug 2006 14:58:37 -0700 (PDT) > >> altendew <andrew@...> wrote: > >> > >>> > >>> Hi someone is currently sending requests to our server 20x a second. > >>> > >>> Here is what one of the logs look like. > >>> > >>> [CODE] > >>> Host: 84.77.19.46 /signUp.php?ref=1945777 > >>> Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in > >>> Bytes: - > >>> Referer: - > >>> Agent: Mozilla/5.0 (Macintosh; MTQ; PPC Mac OS X; en-US) > >>> AppleWebKit/578.4 > >>> (KHTML, like Geco, Safari) OmniWeb/v643.68e=C: > >>> > >>> Host: 82.234.98.65 /signUp.php?ref=ec0lag > >>> Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in > >>> Bytes: - > >>> Referer: - > >>> Agent: Mozilla/5.0 (Macintosh; CDB; PPC Mac OS X; en-US) > >>> AppleWebKit/126.0 > >>> (KHTML, like Geco, Safari) OmniWeb/v554.35 > >>> > >>> Host: 84.94.31.161 /signUp.php?ref=ec0lag > >>> Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in > >>> Bytes: - > >>> Referer: - > >>> Agent: Mozilla/5.0 (Macintosh; TLD; PPC Mac OS X; en-US) > >>> AppleWebKit/502.6 > >>> (KHTML, like Geco, Safari) OmniWeb/v401.63ive=C: > >>> > >>> Host: 81.49.24.92 /signUp.php?ref=1945777 > >>> Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in > >>> Bytes: - > >>> Referer: - > >>> Agent: Mozilla/5.0 (Macintosh; SZS; PPC Mac OS X; en-US) > >>> AppleWebKit/230.1 > >>> (KHTML, like Geco, Safari) OmniWeb/v710.56ive=C: > >>> > >>> Host: 80.129.248.17 /signUp.php?ref=1945777 > >>> Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in > >>> Bytes: - > >>> Referer: - > >>> Agent: Mozilla/5.0 (Macintosh; OST; PPC Mac OS X; en-US) > >>> AppleWebKit/243.6 > >>> (KHTML, like Geco, Safari) OmniWeb/v846.88 > >>> > >>> Host: 87.235.49.194 /signUp.php?ref=ec0lag > >>> Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.1 Size in > >>> Bytes: - > >>> Referer: - > >>> Agent: Mozilla/5.0 (Macintosh; SDD; PPC Mac OS X; en-US) > >>> AppleWebKit/430.1 > >>> (KHTML, like Geco, Safari) OmniWeb/v145.34 > >>> > >>> Host: 125.129.12.61 /signUp.php?ref=1945777 > >>> Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in > >>> Bytes: - > >>> Referer: - > >>> Agent: Mozilla/5.0 (Macintosh; WCG; PPC Mac OS X; en-US) > >>> AppleWebKit/455.3 > >>> (KHTML, like Geco, Safari) OmniWeb/v042.84stemDrive=\x81 > >>> > >>> Host: 66.110.153.47 /signUp.php?ref=ec0lag > >>> Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in > >>> Bytes: - > >>> Referer: - > >>> Agent: Mozilla/5.0 (Macintosh; ZAM; PPC Mac OS X; en-US) > >>> AppleWebKit/387.2 > >>> (KHTML, like Geco, Safari) OmniWeb/v456.02ve=C: > >>> > >>> Host: 62.2.177.250 /signUp.php?ref=ec0lag > >>> Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in > >>> Bytes: - > >>> Referer: - > >>> Agent: Mozilla/5.0 (Macintosh; LMZ; PPC Mac OS X; en-US) > >>> AppleWebKit/206.1 > >>> (KHTML, like Geco, Safari) OmniWeb/v204.07es > >>> > >>> Host: 200.115.226.143 /signUp.php?ref=1945777 > >>> Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.1 Size in > >>> Bytes: - > >>> Referer: - > >>> Agent: Mozilla/5.0 (Macintosh; EDE; PPC Mac OS X; en-US) > >>> AppleWebKit/647.0 > >>> (KHTML, like Geco, Safari) OmniWeb/v760.47emDrive=C:\x81 > >>> > >>> Host: 84.171.125.189 /signUp.php?ref=1945777 > >>> Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.0 Size in > >>> Bytes: - > >>> Referer: - > >>> Agent: Mozilla/5.0 (Macintosh; QHA; PPC Mac OS X; en-US) > >>> AppleWebKit/778.0 > >>> (KHTML, like Geco, Safari) OmniWeb/v456.03=C: > >>> > >>> Host: 83.242.79.70 /signUp.php?ref=1945777 > >>> Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.0 Size in > >>> Bytes: - > >>> Referer: - > >>> Agent: Mozilla/5.0 (Macintosh; GFS; PPC Mac OS X; en-US) > >>> AppleWebKit/537.0 > >>> (KHTML, like Geco, Safari) OmniWeb/v313.01rive=C: > >>> > >>> Host: 86.69.194.172 /signUp.php?ref=ec0lag > >>> Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.0 Size in > >>> Bytes: - > >>> Referer: - > >>> Agent: Mozilla/5.0 (Macintosh; ZCV; PPC Mac OS X; en-US) > >>> AppleWebKit/468.2 > >>> (KHTML, like Geco, Safari) OmniWeb/v026.14stemDrive=\x81 > >>> > >>> Host: 196.203.176.26 /signUp.php?ref=ec0lag > >>> Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.1 Size in > >>> Bytes: - > >>> Referer: - > >>> Agent: Mozilla/5.0 (Macintosh; BXT; PPC Mac OS X; en-US) > >>> AppleWebKit/840.3 > >>> (KHTML, like Geco, Safari) OmniWeb/v767.50s > >>> > >>> Host: 201.41.241.190 /signUp.php?ref=1945777 > >>> Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.0 Size in > >>> Bytes: - > >>> Referer: - > >>> Agent: Mozilla/5.0 (Macintosh; TYZ; PPC Mac OS X; en-US) > >>> AppleWebKit/742.0 > >>> (KHTML, like Geco, Safari) OmniWeb/v715.65C: > >>> > >>> Host: 200.84.144.234 /signUp.php?ref=ec0lag > >>> Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.1 Size in > >>> Bytes: - > >>> Referer: - > >>> Agent: Mozilla/5.0 > >>> [/CODE] > >>> > >>> We are currently blocking this user through our Apache. > >>> > >>> .htaccess > >>> [CODE] > >>> RewriteEngine On > >>> RewriteCond %{HTTP_USER_AGENT} ^Mozilla/5\.0\ \(Macintosh;\ (.+)\ PPC\ > >>> Mac\ > >>> OS\ X;\ en-US\)\ AppleWebKit/(.+)\ \(KHTML,\ like\ Geco,\ Safari\)\ > >>> OmniWeb/v([0-9]+).([0-9]+)(.+)$ > >>> RewriteRule .* - [F] > >>> [/CODE] > >>> > >>> That works fine and is giving the user a 403 (Forbidden), but the > >>> problem is > >>> that half of our Apache processes are from this user. > >>> > >>> Is there a way to block his user agent before he gets to Apache? > >>> Sometimes > >>> this brings our server to a crash. > >>> > >>> Thanks > >>> Andrew > >>> -- > >>> View this message in context: > >>> http://www.nabble.com/Server-Attack-tf2174025.html#a6011508 > >>> Sent from the linux-kernel forum at Nabble.com. > >>> > >>> - > >>> To unsubscribe from this list: send the line "unsubscribe linux-kernel" > >>> in > >>> the body of a message to majordomo@... > >>> More majordomo info at http://vger.kernel.org/majordomo-info.html > >>> Please read the FAQ at http://www.tux.org/lkml/ > >> > >> > >> -- > >> Chris Largret <http://www.largret.com> > >> - > >> To unsubscribe from this list: send the line "unsubscribe linux-kernel" > >> in > >> the body of a message to majordomo@... > >> More majordomo info at http://vger.kernel.org/majordomo-info.html > >> Please read the FAQ at http://www.tux.org/lkml/ > >> > >> > > > > > > -- > View this message in context: http://www.nabble.com/Server-Attack-tf2174025.html#a6014456 > Sent from the linux-kernel forum at Nabble.com. > > - > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@... > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@... More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ |
|
|
Re: [OT] Re: Server Attack
by Andrew Rosolino
::
Rate this Message:
To be quite honest in the end this will keep adding IPs. This russian guy who is DDOS me is sending 40 requests per second. The problem is all the IPs are different and I dont feel safe rejected all the IPs. I looked up the IPs on an IPWhois and most of the same they are a "Autonomous System" wtf is that?
This guy sends two different types of HTTP requests: /signUp.php?ref=ec0lag /signUp.php?ref=1945777 Hey man any help would be great.
|
|
|
Re: [OT] Re: Server Attack
by Willy Tarreau-3
::
Rate this Message:
On Sun, Aug 27, 2006 at 10:05:52PM -0700, altendew wrote:
> > To be quite honest in the end this will keep adding IPs. This russian guy who > is DDOS me is sending 40 requests per second. The problem is all the IPs are > different and I dont feel safe rejected all the IPs. I looked up the IPs on > an IPWhois and most of the same they are a "Autonomous System" wtf is that? > > This guy sends two different types of HTTP requests: > /signUp.php?ref=ec0lag > /signUp.php?ref=1945777 > > Hey man any help would be great. OK, I'll contact you off-list. First it's off-topic here, and second your attacker doesn't need to know the workarounds ! Cheers, Willy - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@... More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ |
|
|
Re: [OT] Re: Server Attack
by Bernd Petrovitsch
::
Rate this Message:
On Sun, 2006-08-27 at 22:05 -0700, altendew wrote:
> To be quite honest in the end this will keep adding IPs. This russian guy who Yup, that the intention if you you want to block these attacks. > is DDOS me is sending 40 requests per second. The problem is all the IPs are > different and I dont feel safe rejected all the IPs. I looked up the IPs on > an IPWhois and most of the same they are a "Autonomous System" wtf is that? I don't understand the last line: Do you mean that all of the IP addresses are from the the same AS? Then you have only to deide if you want to block the AS. As for what an AS is: http://en.wikipedia.org/wiki/Autonomous_system_(Internet) http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci213662,00.html [ Fullquote deleted ] Bernd -- Firmix Software GmbH http://www.firmix.at/ mobil: +43 664 4416156 fax: +43 1 7890849-55 Embedded Linux Development and Services - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@... More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ |
|
|
Re: Server Attack
by Jiri Slaby
::
Rate this Message:
Jeffrey V. Merkey wrote:
> altendew wrote: > >> Hi someone is currently sending requests to our server 20x a second. >> >> Here is what one of the logs look like. >> >> [CODE] >> Host: 84.77.19.46 /signUp.php?ref=1945777 Http Code: 403 Date: >> Aug 27 17:44:38 Http Version: HTTP/1.0 Size in >> Bytes: - Referer: - Agent: Mozilla/5.0 (Macintosh; MTQ; PPC Mac OS >> X; en-US) AppleWebKit/578.4 >> (KHTML, like Geco, Safari) OmniWeb/v643.68e=C: >> Host: 82.234.98.65 /signUp.php?ref=ec0lag Http Code: 403 Date: >> Aug 27 17:44:38 Http Version: HTTP/1.0 Size in >> Bytes: - Referer: - Agent: Mozilla/5.0 (Macintosh; CDB; PPC Mac OS >> X; en-US) AppleWebKit/126.0 >> (KHTML, like Geco, Safari) OmniWeb/v554.35 >> Host: 84.94.31.161 /signUp.php?ref=ec0lag Http Code: 403 Date: >> Aug 27 17:44:38 Http Version: HTTP/1.0 Size in >> Bytes: - Referer: - Agent: Mozilla/5.0 (Macintosh; TLD; PPC Mac OS >> X; en-US) AppleWebKit/502.6 >> (KHTML, like Geco, Safari) OmniWeb/v401.63ive=C: >> Host: 81.49.24.92 /signUp.php?ref=1945777 Http Code: 403 Date: >> Aug 27 17:44:38 Http Version: HTTP/1.0 Size in >> Bytes: - Referer: - Agent: Mozilla/5.0 (Macintosh; SZS; PPC Mac OS >> X; en-US) AppleWebKit/230.1 >> (KHTML, like Geco, Safari) OmniWeb/v710.56ive=C: >> Host: 80.129.248.17 /signUp.php?ref=1945777 Http Code: 403 Date: >> Aug 27 17:44:38 Http Version: HTTP/1.0 Size in >> Bytes: - Referer: - Agent: Mozilla/5.0 (Macintosh; OST; PPC Mac OS >> X; en-US) AppleWebKit/243.6 >> (KHTML, like Geco, Safari) OmniWeb/v846.88 >> Host: 87.235.49.194 /signUp.php?ref=ec0lag Http Code: 403 Date: >> Aug 27 17:44:38 Http Version: HTTP/1.1 Size in >> Bytes: - Referer: - Agent: Mozilla/5.0 (Macintosh; SDD; PPC Mac OS >> X; en-US) AppleWebKit/430.1 >> (KHTML, like Geco, Safari) OmniWeb/v145.34 >> Host: 125.129.12.61 /signUp.php?ref=1945777 Http Code: 403 Date: >> Aug 27 17:44:38 Http Version: HTTP/1.0 Size in >> Bytes: - Referer: - Agent: Mozilla/5.0 (Macintosh; WCG; PPC Mac OS >> X; en-US) AppleWebKit/455.3 >> (KHTML, like Geco, Safari) OmniWeb/v042.84stemDrive=\x81 >> Host: 66.110.153.47 /signUp.php?ref=ec0lag Http Code: 403 Date: >> Aug 27 17:44:38 Http Version: HTTP/1.0 Size in >> Bytes: - Referer: - Agent: Mozilla/5.0 (Macintosh; ZAM; PPC Mac OS >> X; en-US) AppleWebKit/387.2 >> (KHTML, like Geco, Safari) OmniWeb/v456.02ve=C: >> Host: 62.2.177.250 /signUp.php?ref=ec0lag Http Code: 403 Date: >> Aug 27 17:44:38 Http Version: HTTP/1.0 Size in >> Bytes: - Referer: - Agent: Mozilla/5.0 (Macintosh; LMZ; PPC Mac OS >> X; en-US) AppleWebKit/206.1 >> (KHTML, like Geco, Safari) OmniWeb/v204.07es >> Host: 200.115.226.143 /signUp.php?ref=1945777 Http Code: 403 >> Date: Aug 27 17:44:37 Http Version: HTTP/1.1 Size in >> Bytes: - Referer: - Agent: Mozilla/5.0 (Macintosh; EDE; PPC Mac OS >> X; en-US) AppleWebKit/647.0 >> (KHTML, like Geco, Safari) OmniWeb/v760.47emDrive=C:\x81 >> Host: 84.171.125.189 /signUp.php?ref=1945777 Http Code: 403 Date: >> Aug 27 17:44:37 Http Version: HTTP/1.0 Size in >> Bytes: - Referer: - Agent: Mozilla/5.0 (Macintosh; QHA; PPC Mac OS >> X; en-US) AppleWebKit/778.0 >> (KHTML, like Geco, Safari) OmniWeb/v456.03=C: >> Host: 83.242.79.70 /signUp.php?ref=1945777 Http Code: 403 Date: >> Aug 27 17:44:37 Http Version: HTTP/1.0 Size in >> Bytes: - Referer: - Agent: Mozilla/5.0 (Macintosh; GFS; PPC Mac OS >> X; en-US) AppleWebKit/537.0 >> (KHTML, like Geco, Safari) OmniWeb/v313.01rive=C: >> Host: 86.69.194.172 /signUp.php?ref=ec0lag Http Code: 403 Date: >> Aug 27 17:44:37 Http Version: HTTP/1.0 Size in >> Bytes: - Referer: - Agent: Mozilla/5.0 (Macintosh; ZCV; PPC Mac OS >> X; en-US) AppleWebKit/468.2 >> (KHTML, like Geco, Safari) OmniWeb/v026.14stemDrive=\x81 >> Host: 196.203.176.26 /signUp.php?ref=ec0lag Http Code: 403 Date: >> Aug 27 17:44:37 Http Version: HTTP/1.1 Size in >> Bytes: - Referer: - Agent: Mozilla/5.0 (Macintosh; BXT; PPC Mac OS >> X; en-US) AppleWebKit/840.3 >> (KHTML, like Geco, Safari) OmniWeb/v767.50s >> Host: 201.41.241.190 /signUp.php?ref=1945777 Http Code: 403 Date: >> Aug 27 17:44:37 Http Version: HTTP/1.0 Size in >> Bytes: - Referer: - Agent: Mozilla/5.0 (Macintosh; TYZ; PPC Mac OS >> X; en-US) AppleWebKit/742.0 >> (KHTML, like Geco, Safari) OmniWeb/v715.65C: >> Host: 200.84.144.234 /signUp.php?ref=ec0lag Http Code: 403 Date: >> Aug 27 17:44:37 Http Version: HTTP/1.1 Size in >> Bytes: - Referer: - Agent: Mozilla/5.0 [/CODE] >> >> We are currently blocking this user through our Apache. >> >> .htaccess >> [CODE] >> RewriteEngine On RewriteCond %{HTTP_USER_AGENT} ^Mozilla/5\.0\ >> \(Macintosh;\ (.+)\ PPC\ Mac\ >> OS\ X;\ en-US\)\ AppleWebKit/(.+)\ \(KHTML,\ like\ Geco,\ Safari\)\ >> OmniWeb/v([0-9]+).([0-9]+)(.+)$ >> RewriteRule .* - [F] >> [/CODE] >> >> That works fine and is giving the user a 403 (Forbidden), but the >> problem is >> that half of our Apache processes are from this user. >> >> Is there a way to block his user agent before he gets to Apache? >> Sometimes >> this brings our server to a crash. >> >> Thanks >> Andrew >> >> > iptables -J drop <ip address> Too slow, iptables' rules are (or was, at least) traversed sequentially. Better is routing table with blackhole-rule used for these IPs. Problem is, that IPs are variable, but use of some scripting solves this... regards, -- http://www.fi.muni.cz/~xslaby/ Jiri Slaby faculty of informatics, masaryk university, brno, cz e-mail: jirislaby gmail com, gpg pubkey fingerprint: B674 9967 0407 CE62 ACC8 22A0 32CC 55C3 39D4 7A7E - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@... More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ |
| Free embeddable forum powered by Nabble | Forum Help |
