Hi guys,
I would really appreciate it if someone helps me solve a mystery. I have a Cobalt Raq3 and have noticed that in the pas one hour i have recieved 10 hits per second from this IP address 24.4.254.195. I don't know what this person is trying to do but he is visiting the same webpage (on my server) a thousand times and counting. Could you please tell me what to do about it and if it is a big danger.

Thanks in advance.

----------
added:
----------
This guy has been loading a webpage from my server for more than an hour now. Please help me block and secure my server from such attacks. I still have no clue as to why he is doing this and what he intends to do.

I run free hosting, and somne people put files on auto download(pirated software), and when I remove it, their program keeps on trying to download, about the same, 10 times a secend. The only problem this causes, well a big one, is it can bring apache to a stand still. What you do, is not in apache but before, ie firewall or router, deny this client. Your logs will get big. If you deny him in apache, it has pretty much the same efftect. So at the firewall or router deny him.

I do not run free hosting or have any software for download. I think someone is trying to bring down the server intentionally. could you please tell me how to block it from the server now and i can't contact my dedicated server admin for a couple of hours.

I know, I was using it as an example, just block him, everything will be better after that mainly because he useing the system resources, not your bandwidth.

could you please tell me the exact commands on how to block it.

I have put a trouble ticket with cobaltracks to block the IP but they will not respond in at least 12 hours. till then i need to block it myself

do you have aim? Im really not all that sure on what your running, but I think I might be able to help you.

I have ICQ and MSN.

I am running Cobalt Raq3 with Redhat 6.2 and apache 1.3

my icq is 7279267

If your running IP Chains:
'ipchains -A input -s <ip> -j DENY'

Just put the IP of the attacker in the <ip> area...

Thanks All,
You guys have been of great help. The problem is solved now and the requests stopped coming from this IP by itself. But the knowledge I have gained here will definately help me the next time such a problem occurs.

Just a quick knote, this looks like a proxy server, and not a single user:
Trying 24.4.254 at ARIN
@Home Network (NETBLK-ATHOME) ATHOME 24.0.0.0 - 24.23.255.255
@Home Network (NETBLK-HOME-PROXY-WEST-1) HOME-PROXY-WEST-1
24.4.254.0 - 24.4.255.255

Just block him on the router....................

You shouldnt even let people like that near any of your servers...
Heck, you dont want him returning in the future anyways..so block from the router.

Sounds like a code red attack.

You should contact your hostikng provider and ask them to block that subnet.

its a Cobalt Raq3 running Redhat Linux. Code Red only affects Win2000 servers.

btw the problem has been solved.

Originally posted by arrty
its a Cobalt Raq3 running Redhat Linux. Code Red only affects Win2000 servers.

btw the problem has been solved.

That does not mean in any way that code red can't attack a linux server. Code Red just keeps going untill it finds a Windows server. I've seen a few linux boxes jet 1000's of hits from code red. Linux just can't be compromised by it.

Just to let you know:

You can call CobaltRacks @ (540) 667-6431. Im pretty sure that is the main datacenter. You may want to call them and ask them.

I know this number is answered 24/7 by either the support team, or the night guy.

Jim