Re: Server Attack - Jeffrey V. Merkey

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: "Jeffrey V. Merkey" <jmerkey@wolfmountaingroup.com>
To: altendew <andrew@shiftcode.com>
Cc: linux-kernel@vger.kernel.org
Subject: Re: Server Attack
Date: Sun, 27 Aug 2006 20:49:43 -0600	[thread overview]
Message-ID: <44F259C7.5090505@wolfmountaingroup.com> (raw)
In-Reply-To: <6011508.post@talk.nabble.com>

altendew wrote:

>Hi someone is currently sending requests to our server 20x a second.
>
>Here is what one of the logs look like.
>
>[CODE]
>Host: 84.77.19.46   /signUp.php?ref=1945777  
>  Http Code: 403  Date: Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
>Bytes: -  
>  Referer: -  
>  Agent: Mozilla/5.0 (Macintosh; MTQ; PPC Mac OS X; en-US) AppleWebKit/578.4
>(KHTML, like Geco, Safari) OmniWeb/v643.68e=C:  
>
>Host: 82.234.98.65   /signUp.php?ref=ec0lag  
>  Http Code: 403  Date: Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
>Bytes: -  
>  Referer: -  
>  Agent: Mozilla/5.0 (Macintosh; CDB; PPC Mac OS X; en-US) AppleWebKit/126.0
>(KHTML, like Geco, Safari) OmniWeb/v554.35  
>
>Host: 84.94.31.161   /signUp.php?ref=ec0lag  
>  Http Code: 403  Date: Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
>Bytes: -  
>  Referer: -  
>  Agent: Mozilla/5.0 (Macintosh; TLD; PPC Mac OS X; en-US) AppleWebKit/502.6
>(KHTML, like Geco, Safari) OmniWeb/v401.63ive=C:  
>
>Host: 81.49.24.92   /signUp.php?ref=1945777  
>  Http Code: 403  Date: Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
>Bytes: -  
>  Referer: -  
>  Agent: Mozilla/5.0 (Macintosh; SZS; PPC Mac OS X; en-US) AppleWebKit/230.1
>(KHTML, like Geco, Safari) OmniWeb/v710.56ive=C:  
>
>Host: 80.129.248.17   /signUp.php?ref=1945777  
>  Http Code: 403  Date: Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
>Bytes: -  
>  Referer: -  
>  Agent: Mozilla/5.0 (Macintosh; OST; PPC Mac OS X; en-US) AppleWebKit/243.6
>(KHTML, like Geco, Safari) OmniWeb/v846.88  
>
>Host: 87.235.49.194   /signUp.php?ref=ec0lag  
>  Http Code: 403  Date: Aug 27 17:44:38  Http Version: HTTP/1.1  Size in
>Bytes: -  
>  Referer: -  
>  Agent: Mozilla/5.0 (Macintosh; SDD; PPC Mac OS X; en-US) AppleWebKit/430.1
>(KHTML, like Geco, Safari) OmniWeb/v145.34  
>
>Host: 125.129.12.61   /signUp.php?ref=1945777  
>  Http Code: 403  Date: Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
>Bytes: -  
>  Referer: -  
>  Agent: Mozilla/5.0 (Macintosh; WCG; PPC Mac OS X; en-US) AppleWebKit/455.3
>(KHTML, like Geco, Safari) OmniWeb/v042.84stemDrive=\x81  
>
>Host: 66.110.153.47   /signUp.php?ref=ec0lag  
>  Http Code: 403  Date: Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
>Bytes: -  
>  Referer: -  
>  Agent: Mozilla/5.0 (Macintosh; ZAM; PPC Mac OS X; en-US) AppleWebKit/387.2
>(KHTML, like Geco, Safari) OmniWeb/v456.02ve=C:  
>
>Host: 62.2.177.250   /signUp.php?ref=ec0lag  
>  Http Code: 403  Date: Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
>Bytes: -  
>  Referer: -  
>  Agent: Mozilla/5.0 (Macintosh; LMZ; PPC Mac OS X; en-US) AppleWebKit/206.1
>(KHTML, like Geco, Safari) OmniWeb/v204.07es  
>
>Host: 200.115.226.143   /signUp.php?ref=1945777  
>  Http Code: 403  Date: Aug 27 17:44:37  Http Version: HTTP/1.1  Size in
>Bytes: -  
>  Referer: -  
>  Agent: Mozilla/5.0 (Macintosh; EDE; PPC Mac OS X; en-US) AppleWebKit/647.0
>(KHTML, like Geco, Safari) OmniWeb/v760.47emDrive=C:\x81  
>
>Host: 84.171.125.189   /signUp.php?ref=1945777  
>  Http Code: 403  Date: Aug 27 17:44:37  Http Version: HTTP/1.0  Size in
>Bytes: -  
>  Referer: -  
>  Agent: Mozilla/5.0 (Macintosh; QHA; PPC Mac OS X; en-US) AppleWebKit/778.0
>(KHTML, like Geco, Safari) OmniWeb/v456.03=C:  
>
>Host: 83.242.79.70   /signUp.php?ref=1945777  
>  Http Code: 403  Date: Aug 27 17:44:37  Http Version: HTTP/1.0  Size in
>Bytes: -  
>  Referer: -  
>  Agent: Mozilla/5.0 (Macintosh; GFS; PPC Mac OS X; en-US) AppleWebKit/537.0
>(KHTML, like Geco, Safari) OmniWeb/v313.01rive=C:  
>
>Host: 86.69.194.172   /signUp.php?ref=ec0lag  
>  Http Code: 403  Date: Aug 27 17:44:37  Http Version: HTTP/1.0  Size in
>Bytes: -  
>  Referer: -  
>  Agent: Mozilla/5.0 (Macintosh; ZCV; PPC Mac OS X; en-US) AppleWebKit/468.2
>(KHTML, like Geco, Safari) OmniWeb/v026.14stemDrive=\x81  
>
>Host: 196.203.176.26   /signUp.php?ref=ec0lag  
>  Http Code: 403  Date: Aug 27 17:44:37  Http Version: HTTP/1.1  Size in
>Bytes: -  
>  Referer: -  
>  Agent: Mozilla/5.0 (Macintosh; BXT; PPC Mac OS X; en-US) AppleWebKit/840.3
>(KHTML, like Geco, Safari) OmniWeb/v767.50s  
>
>Host: 201.41.241.190   /signUp.php?ref=1945777  
>  Http Code: 403  Date: Aug 27 17:44:37  Http Version: HTTP/1.0  Size in
>Bytes: -  
>  Referer: -  
>  Agent: Mozilla/5.0 (Macintosh; TYZ; PPC Mac OS X; en-US) AppleWebKit/742.0
>(KHTML, like Geco, Safari) OmniWeb/v715.65C:  
>
>Host: 200.84.144.234   /signUp.php?ref=ec0lag  
>  Http Code: 403  Date: Aug 27 17:44:37  Http Version: HTTP/1.1  Size in
>Bytes: -  
>  Referer: -  
>  Agent: Mozilla/5.0  
>[/CODE]
>
>We are currently blocking this user through our Apache.
>
>.htaccess
>[CODE]
>RewriteEngine On 
>RewriteCond %{HTTP_USER_AGENT} ^Mozilla/5\.0\ \(Macintosh;\ (.+)\ PPC\ Mac\
>OS\ X;\ en-US\)\ AppleWebKit/(.+)\ \(KHTML,\ like\ Geco,\ Safari\)\
>OmniWeb/v([0-9]+).([0-9]+)(.+)$
>RewriteRule .* - [F]
>[/CODE]
>
>That works fine and is giving the user a 403 (Forbidden), but the problem is
>that half of our Apache processes are from this user.
>
>Is there a way to block his user agent before he gets to Apache? Sometimes
>this brings our server to a crash.
>
>Thanks
>Andrew
>  
>
iptables -J drop <ip address>

next prev parent reply	other threads:[~2006-08-28  2:42 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-08-27 21:58 Server Attack altendew
2006-08-28  0:11 ` Chris Largret
2006-08-28  3:58   ` altendew
2006-08-28  4:38     ` altendew
2006-08-28  4:39       ` [OT] " Willy Tarreau
2006-08-28  5:05         ` altendew
2006-08-28  5:40           ` Willy Tarreau
2006-08-28  9:51           ` Bernd Petrovitsch
2006-08-28  0:14 ` altendew
2006-08-28  2:49 ` Jeffrey V. Merkey [this message]
2006-08-28 10:55   ` Jiri Slaby

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=44F259C7.5090505@wolfmountaingroup.com \
    --to=jmerkey@wolfmountaingroup.com \
    --cc=andrew@shiftcode.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox