Re: Server Attack - Jiri Slaby

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Jiri Slaby <jirislaby@gmail.com>
To: "Jeffrey V. Merkey" <jmerkey@wolfmountaingroup.com>
Cc: altendew <andrew@shiftcode.com>, linux-kernel@vger.kernel.org
Subject: Re: Server Attack
Date: Mon, 28 Aug 2006 12:54:33 +0159	[thread overview]
Message-ID: <44F2CB80.1090902@gmail.com> (raw)
In-Reply-To: <44F259C7.5090505@wolfmountaingroup.com>

Jeffrey V. Merkey wrote:
> altendew wrote:
> 
>> Hi someone is currently sending requests to our server 20x a second.
>>
>> Here is what one of the logs look like.
>>
>> [CODE]
>> Host: 84.77.19.46   /signUp.php?ref=1945777   Http Code: 403  Date: 
>> Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
>> Bytes: -   Referer: -   Agent: Mozilla/5.0 (Macintosh; MTQ; PPC Mac OS 
>> X; en-US) AppleWebKit/578.4
>> (KHTML, like Geco, Safari) OmniWeb/v643.68e=C: 
>> Host: 82.234.98.65   /signUp.php?ref=ec0lag   Http Code: 403  Date: 
>> Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
>> Bytes: -   Referer: -   Agent: Mozilla/5.0 (Macintosh; CDB; PPC Mac OS 
>> X; en-US) AppleWebKit/126.0
>> (KHTML, like Geco, Safari) OmniWeb/v554.35 
>> Host: 84.94.31.161   /signUp.php?ref=ec0lag   Http Code: 403  Date: 
>> Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
>> Bytes: -   Referer: -   Agent: Mozilla/5.0 (Macintosh; TLD; PPC Mac OS 
>> X; en-US) AppleWebKit/502.6
>> (KHTML, like Geco, Safari) OmniWeb/v401.63ive=C: 
>> Host: 81.49.24.92   /signUp.php?ref=1945777   Http Code: 403  Date: 
>> Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
>> Bytes: -   Referer: -   Agent: Mozilla/5.0 (Macintosh; SZS; PPC Mac OS 
>> X; en-US) AppleWebKit/230.1
>> (KHTML, like Geco, Safari) OmniWeb/v710.56ive=C: 
>> Host: 80.129.248.17   /signUp.php?ref=1945777   Http Code: 403  Date: 
>> Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
>> Bytes: -   Referer: -   Agent: Mozilla/5.0 (Macintosh; OST; PPC Mac OS 
>> X; en-US) AppleWebKit/243.6
>> (KHTML, like Geco, Safari) OmniWeb/v846.88 
>> Host: 87.235.49.194   /signUp.php?ref=ec0lag   Http Code: 403  Date: 
>> Aug 27 17:44:38  Http Version: HTTP/1.1  Size in
>> Bytes: -   Referer: -   Agent: Mozilla/5.0 (Macintosh; SDD; PPC Mac OS 
>> X; en-US) AppleWebKit/430.1
>> (KHTML, like Geco, Safari) OmniWeb/v145.34 
>> Host: 125.129.12.61   /signUp.php?ref=1945777   Http Code: 403  Date: 
>> Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
>> Bytes: -   Referer: -   Agent: Mozilla/5.0 (Macintosh; WCG; PPC Mac OS 
>> X; en-US) AppleWebKit/455.3
>> (KHTML, like Geco, Safari) OmniWeb/v042.84stemDrive=\x81 
>> Host: 66.110.153.47   /signUp.php?ref=ec0lag   Http Code: 403  Date: 
>> Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
>> Bytes: -   Referer: -   Agent: Mozilla/5.0 (Macintosh; ZAM; PPC Mac OS 
>> X; en-US) AppleWebKit/387.2
>> (KHTML, like Geco, Safari) OmniWeb/v456.02ve=C: 
>> Host: 62.2.177.250   /signUp.php?ref=ec0lag   Http Code: 403  Date: 
>> Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
>> Bytes: -   Referer: -   Agent: Mozilla/5.0 (Macintosh; LMZ; PPC Mac OS 
>> X; en-US) AppleWebKit/206.1
>> (KHTML, like Geco, Safari) OmniWeb/v204.07es 
>> Host: 200.115.226.143   /signUp.php?ref=1945777   Http Code: 403  
>> Date: Aug 27 17:44:37  Http Version: HTTP/1.1  Size in
>> Bytes: -   Referer: -   Agent: Mozilla/5.0 (Macintosh; EDE; PPC Mac OS 
>> X; en-US) AppleWebKit/647.0
>> (KHTML, like Geco, Safari) OmniWeb/v760.47emDrive=C:\x81 
>> Host: 84.171.125.189   /signUp.php?ref=1945777   Http Code: 403  Date: 
>> Aug 27 17:44:37  Http Version: HTTP/1.0  Size in
>> Bytes: -   Referer: -   Agent: Mozilla/5.0 (Macintosh; QHA; PPC Mac OS 
>> X; en-US) AppleWebKit/778.0
>> (KHTML, like Geco, Safari) OmniWeb/v456.03=C: 
>> Host: 83.242.79.70   /signUp.php?ref=1945777   Http Code: 403  Date: 
>> Aug 27 17:44:37  Http Version: HTTP/1.0  Size in
>> Bytes: -   Referer: -   Agent: Mozilla/5.0 (Macintosh; GFS; PPC Mac OS 
>> X; en-US) AppleWebKit/537.0
>> (KHTML, like Geco, Safari) OmniWeb/v313.01rive=C: 
>> Host: 86.69.194.172   /signUp.php?ref=ec0lag   Http Code: 403  Date: 
>> Aug 27 17:44:37  Http Version: HTTP/1.0  Size in
>> Bytes: -   Referer: -   Agent: Mozilla/5.0 (Macintosh; ZCV; PPC Mac OS 
>> X; en-US) AppleWebKit/468.2
>> (KHTML, like Geco, Safari) OmniWeb/v026.14stemDrive=\x81 
>> Host: 196.203.176.26   /signUp.php?ref=ec0lag   Http Code: 403  Date: 
>> Aug 27 17:44:37  Http Version: HTTP/1.1  Size in
>> Bytes: -   Referer: -   Agent: Mozilla/5.0 (Macintosh; BXT; PPC Mac OS 
>> X; en-US) AppleWebKit/840.3
>> (KHTML, like Geco, Safari) OmniWeb/v767.50s 
>> Host: 201.41.241.190   /signUp.php?ref=1945777   Http Code: 403  Date: 
>> Aug 27 17:44:37  Http Version: HTTP/1.0  Size in
>> Bytes: -   Referer: -   Agent: Mozilla/5.0 (Macintosh; TYZ; PPC Mac OS 
>> X; en-US) AppleWebKit/742.0
>> (KHTML, like Geco, Safari) OmniWeb/v715.65C: 
>> Host: 200.84.144.234   /signUp.php?ref=ec0lag   Http Code: 403  Date: 
>> Aug 27 17:44:37  Http Version: HTTP/1.1  Size in
>> Bytes: -   Referer: -   Agent: Mozilla/5.0  [/CODE]
>>
>> We are currently blocking this user through our Apache.
>>
>> .htaccess
>> [CODE]
>> RewriteEngine On RewriteCond %{HTTP_USER_AGENT} ^Mozilla/5\.0\ 
>> \(Macintosh;\ (.+)\ PPC\ Mac\
>> OS\ X;\ en-US\)\ AppleWebKit/(.+)\ \(KHTML,\ like\ Geco,\ Safari\)\
>> OmniWeb/v([0-9]+).([0-9]+)(.+)$
>> RewriteRule .* - [F]
>> [/CODE]
>>
>> That works fine and is giving the user a 403 (Forbidden), but the 
>> problem is
>> that half of our Apache processes are from this user.
>>
>> Is there a way to block his user agent before he gets to Apache? 
>> Sometimes
>> this brings our server to a crash.
>>
>> Thanks
>> Andrew
>>  
>>
> iptables -J drop <ip address>

Too slow, iptables' rules are (or was, at least) traversed sequentially. Better 
is routing table with blackhole-rule used for these IPs.

Problem is, that IPs are variable, but use of some scripting solves this...

regards,
-- 
http://www.fi.muni.cz/~xslaby/            Jiri Slaby
faculty of informatics, masaryk university, brno, cz
e-mail: jirislaby gmail com, gpg pubkey fingerprint:
B674 9967 0407 CE62 ACC8  22A0 32CC 55C3 39D4 7A7E

     prev parent reply	other threads:[~2006-08-28 10:55 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-08-27 21:58 Server Attack altendew
2006-08-28  0:11 ` Chris Largret
2006-08-28  3:58   ` altendew
2006-08-28  4:38     ` altendew
2006-08-28  4:39       ` [OT] " Willy Tarreau
2006-08-28  5:05         ` altendew
2006-08-28  5:40           ` Willy Tarreau
2006-08-28  9:51           ` Bernd Petrovitsch
2006-08-28  0:14 ` altendew
2006-08-28  2:49 ` Jeffrey V. Merkey
2006-08-28 10:55   ` Jiri Slaby [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=44F2CB80.1090902@gmail.com \
    --to=jirislaby@gmail.com \
    --cc=andrew@shiftcode.com \
    --cc=jmerkey@wolfmountaingroup.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox