Results 1 to 8 of 8
  1. #1
    Join Date
    Dec 2009
    Posts
    58

    Traffic explosion

    One of my sites (a firearms accessories related review site) went from about 30 hits a day, to 124,000 yesterday. This morning got a notice about bandwidth exceeded.

    Poking around various metrics, it seems most of the hits are directly to the main page...which aside from google and amazon ads, doesn't have any dynamic content.

    The file date of the page has not changed. The site does not appear to be compromised in any way.

    Looking at some visitor paths, they will stay on the site hitting the index page seemingly randomly over 20 hours or more.

    This does not appear to be referral traffic as I only have a couple hundred referrals total.

    largest traffic generating IPs are 119.197.201.212 (looks like from Korea) and 12.71.77.109, which is in a block that returns:

    AT&T Services, Inc. ATT (NET-12-0-0-0-1) 12.0.0.0 - 12.255.255.255
    ATT CHIEF SECURITY OFFICE ATT-NET-12-71-76-0 (NET-12-71-76-0-1) 12.71.76.0 - 12.71.79.255
    ATT CORP-INTRA-LEGACY T LEGAL ATTCO-3 (NET-12-71-77-0-1) 12.71.77.0 - 12.71.77.255

    NSA Spying? lol.

    So I just looked at the apache logs and all the hits are POSTS.
    PHP Code:
    24.136.155.243 - - [17/Oct/2013:06:43:31 -0700"POST / HTTP/1.1" 404 11405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    216.201.219.134 - - [17/Oct/2013:06:43:32 -0700"POST / HTTP/1.1" 404 11405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    122.170.28.182 - - [17/Oct/2013:06:43:31 -0700"POST / HTTP/1.1" 404 11405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    151.14.160.124 - - [17/Oct/2013:06:43:32 -0700"POST / HTTP/1.1" 404 11405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    64.72.85.124 - - [17/Oct/2013:06:43:33 -0700"POST / HTTP/1.0" 404 11405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    78.7.212.142 - - [17/Oct/2013:06:43:32 -0700"POST / HTTP/1.1" 404 11405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    178.38.115.174 - - [17/Oct/2013:06:43:33 -0700"POST / HTTP/1.1" 404 11405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    59.124.68.226 - - [17/Oct/2013:06:43:33 -0700"POST / HTTP/1.1" 404 11405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    80.18.93.26 - - [17/Oct/2013:06:43:34 -0700"POST / HTTP/1.1" 404 11405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    88.171.39.236 - - [17/Oct/2013:06:43:34 -0700"POST / HTTP/1.1" 404 11405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    117.1.27.216 - - [17/Oct/2013:06:43:34 -0700"POST / HTTP/1.1" 404 11405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    110.143.88.88 - - [17/Oct/2013:06:43:35 -0700"POST / HTTP/1.1" 404 11405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    66.116.27.32 - - [17/Oct/2013:06:43:35 -0700"POST / HTTP/1.1" 404 11405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    122.179.156.169 - - [17/Oct/2013:06:43:35 -0700"POST / HTTP/1.1" 404 11405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    120.151.74.36 - - [17/Oct/2013:06:43:35 -0700"POST / HTTP/1.1" 404 11405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    190.0.58.94 - - [17/Oct/2013:06:43:35 -0700"POST / HTTP/1.1" 404 11405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    77.246.48.90 - - [17/Oct/2013:06:43:35 -0700"POST / HTTP/1.1" 404 11405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    217.133.192.98 - - [17/Oct/2013:06:43:36 -0700"POST / HTTP/1.1" 404 11405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    83.16.168.154 - - [17/Oct/2013:06:43:36 -0700"POST / HTTP/1.1" 404 11405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    68.99.74.216 - - [17/Oct/2013:06:43:36 -0700"POST / HTTP/1.1" 404 11405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    146.203.130.205 - - [17/Oct/2013:06:43:36 -0700"POST / HTTP/1.0" 404 11405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    31.34.56.32 - - [17/Oct/2013:06:43:36 -0700"POST / HTTP/1.1" 404 11405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    71.87.60.112 - - [17/Oct/2013:06:43:37 -0700"POST / HTTP/1.1" 404 11405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    174.7.162.37 - - [17/Oct/2013:06:43:37 -0700"POST / HTTP/1.1" 404 11405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    46.200.176.236 - - [17/Oct/2013:06:43:37 -0700"POST / HTTP/1.1" 404 11405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    208.191.14.3 - - [17/Oct/2013:06:43:37 -0700"POST / HTTP/1.1" 404 11405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    194.72.120.131 - - [17/Oct/2013:06:43:37 -0700"POST / HTTP/1.1" 404 11405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    190.0.30.75 - - [17/Oct/2013:06:43:38 -0700"POST / HTTP/1.1" 404 11405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 
    All different IPs! ddos attempt? It's a little slow for one/not very effective other than wasting my time chasing ghosts..

    It's returning a 404 because I had just added php to send a 404 header if it's a post in the hopes they would get disinterested.

    I logged the HTTP vars and it's an empty post as far as I can see.

    Anyone ever see anything of the sort?

  2. #2
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,512
    Looks to be a fairly light POST flood, and it seems you implemented an effective counter measure. It is impacting your performance at all?

  3. #3
    Join Date
    Dec 2009
    Posts
    58
    no, I'm surprised I didn't notice it yesterday as I have a monitor dedicated to displaying server loads over my desk. That VPS's normal load is very low. All 30 sites on it are very low traffic and it's not uncommon to see 0.00 load averages. 15 min average is 0.08 right now on a 24 core VPS. Server is just rolling out of bed..lol

  4. #4
    Join Date
    Mar 2009
    Location
    /home/khunj
    Posts
    432
    Quote Originally Posted by turbo2ltr View Post
    190.0.30.75 - - [17/Oct/2013:06:43:38 -0700] "POST / HTTP/1.1" 404 11405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    This "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" UA has been hitting tons of sites for more than a month now. I always recommend to block it at the HTTP level (in Apache configuration file preferably, otherwise in a .htaccess file).
    NinTechNet
    ★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
    ★ NinjaMonitoring : Monitor your website for suspicious activities.

  5. #5
    Join Date
    Dec 2009
    Posts
    58
    So I left the account in bandwidth suspended (7gb) for the rest of the month hoping they would go away. But apparently not. still getting a post "flood" to that account. On average, it's probably 1-2 posts per second. But I was very surprised that the suspended account still managed to get from 7gb bandwith to 17gb, *while suspended!*

    At this point it's more annoying than anything. Just wish there was a way to drop the connection instead of dignifying the request with a reply. I suppose I could try blocking the user agent, but that still sends a reply. There doesn't seem to be a way to drop a connection in htaccess or search a UA in iptables..

  6. #6
    Join Date
    Mar 2009
    Location
    /home/khunj
    Posts
    432
    You can close the connection without sending any response using mod_security 'drop' action.

    Also, did you try to catch the POST payload, just to have an idea of what they are trying to do ?
    NinTechNet
    ★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
    ★ NinjaMonitoring : Monitor your website for suspicious activities.

  7. #7
    Join Date
    Mar 2009
    Location
    Gods Own Country
    Posts
    681
    Try using tshark ( comes with wireshark package ) or tcpdump and analyze the POST packets. It will be helpful to develop the mod_security rules using it.
    Fabin Mundattil @ Xieles Support
    High Quality Server Management | support @ xieles.com
    http://xieles.com

  8. #8
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,153
    As others said, this looks like a small layer 7 attack (HTTP POST obviously). As long as it's not affecting performance, you should be fine. If the attack grows larger, the most easy and professional solution would be to get a DDoS protection. As long as the flood stays small, you can also use something like fail2ban or LFD to write a regex which matches the request patterns and bans IPs who send more than 2 of these requests within 30 seconds for example.
    Inbound Marketing & real SEO for web hosting providers
    ✎ Get in touch with me: co<at>infinitnet.de

Similar Threads

  1. Explosion at ThePlanet datacenter ?
    By unity100 in forum Dedicated Server
    Replies: 2
    Last Post: 06-01-2008, 02:29 PM
  2. times square explosion
    By Project X in forum Web Hosting Lounge
    Replies: 6
    Last Post: 03-07-2008, 10:51 AM
  3. PHP EXPLOSION! (strings)
    By Goldfiles in forum Programming Discussion
    Replies: 4
    Last Post: 10-08-2006, 04:44 PM
  4. Explosion in Riyad
    By blue27 in forum Web Hosting Lounge
    Replies: 12
    Last Post: 11-08-2003, 10:42 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •