-
get ATTACKED!!
my server RedHat Enterprise with cPanel has been getting attacked since Jul 5th. There are about 50 requests per second to my apache; something like this
221.192.223.221 - - [08/Jul/2005:01:54:21 -0400] "GET /yay/bdclong.txt HTTP/1.1" 200 0 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
Notice:
1. The IPs changes all the time.. so far over 7,000 IPs.
2. The strange is that 90% of the requests are from Win98.
3. They're all request for /yay/bdclong.txt
4. About 50 requests per second
5. It boost my load to 17.x 15.x 13.x
6. The hits are from Taiwan/China
I can't use apf to block them because the IP keeps changing..
Questions:
1. It is DDoS?
2. How to solve this?
-
Does that file exists ?
Lookup the refferer its possible that its linked from a forum.
Consider blocking all taiwan/china ips using a database like maxmind.com
-
Try installing APF and BFD. They can be downloaded from the projects section of http://rfxnetworks.com/ .
You could add a rule in there to automatically block users who are accessing /yay/bdclong.txt .
-
it's probably a SYN flood. I can't add the IPs. They keep changing, so far over 7,000 IPs. Yes, I have apf and it couldn't help. I can't block all traffic from China and Taiwan as well.
The file /yay/bdclong.txt doesn't exists. They are no referers..
-
I've never used APF myself, but I read that there is an anti-DOS feature which may not be active by default. You may want to see if activating that may help.
You may also want to check if it's possible to block this from even getting to your server (via a perimeter firewall) if your datacenter can do it.
-
well, one thing you could do to alieviate the damage is link your error_log to /dev/null . As well as link the access log of the specific domain to /dev/null .
ln -s /dev/null /usr/local/apache/logs/error_log
ln -s /dev/null /usr/local/apache/domlogs/thedomain.ext
-
Hello,
Did you install mod_security on your server? If not install it first. And also disable keepalive in httpd.conf. touch a blank file "bdclong.txt" in that path.
Let me know the status ;)
With regards,
Bijo