Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : EMERGENCY - Server being attacked via http

[hostchamp]

my friend's server is being attacked, the http processes shoots up causing the server load to go above 200 in minutes of starting httpd which causes server to die.

this is how the apache web server's access_log would log a normal http request;
------------------------------------------------------
"xx.xxx.xx.xx - - [01/Jun/2007:22:13:21] "GET /folder/name.gif HTTP/1.1" 200 877 "http://www.domain.com/index.htm" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"
------------------------------------------------------

Today when the http load increased we saw hundreds of following requests;
------------------------------------------------------
"xx.xxx.xx.xx - - [01/Jun/2007:22:13:21] "GET /? HTTP/1.1" 200 16305 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
------------------------------------------------------

You see the difference between a legitimate http access log entry and the above one is that the legitimate one shows the filename(GET /folder/name.gif) and domain name being requested whereas the second one shows ("GET /?")

Above requests continously originate from 30 to 40 different ip addresses. Most of them russian ips, and many form US and canada to.

When i do a grep "GET /?" in access log there are thousands of these which started just today.

I cannot block each ips because i feel they have hundreds of IPs to initiate these requests from.

What to do?

[mwatkins]

GET /? is simply an empty query string being passed to whatever code is handling the root "/" of your site. So in other words, you are seeing hundreds of requests to /.

Ordinarily this shouldn't be a problem, but if your site itself is resource heavy and already performance constrained, I guess I can see it happening.

What you could do is use the URL redirection feature of your web server to send off all such requests to a plain, simple, short, HTML error page, which ought to resolve your resource issue. Look up Redirect for your web server, and redirect any request that *exactly* matches "/?" and nothing else.

[page-zone]

If you know the domain being attacked you can change the dns from the servers IP to 127.0.0.1 and redirect the attackers to their own computer. The owner of the domain won't be happy, but either way the site isn't running. 40 ip's should be hard to block though.

[onthespot]

if its coming from a whole netblock just block the whole /8 example if ips are on a 60.x.x.x just block 60.0.0.0/8 at the firewall.

Russia most likely only has a few /8s block em all?

[pphillips]

If you don't have it already you should install APF firewall.

Then, just run: apf -d xxx.xxx.xxx.xxx

And the problem is solved, at least temporarily.

BFD works in conjunction with APF and is highly recommended also. While it wont auto block the http attacks, it will stop brute force attacks.

[hostchamp]

mwatking pls post the syntax for this?

Quote:

Originally Posted by mwatkins

GET /? is simply an empty query string being passed to whatever code is handling the root "/" of your site. So in other words, you are seeing hundreds of requests to /.

Ordinarily this shouldn't be a problem, but if your site itself is resource heavy and already performance constrained, I guess I can see it happening.

What you could do is use the URL redirection feature of your web server to send off all such requests to a plain, simple, short, HTML error page, which ought to resolve your resource issue. Look up Redirect for your web server, and redirect any request that *exactly* matches "/?" and nothing else.

[hostchamp]

How do i do this?

Quote:

Originally Posted by page-zone

If you know the domain being attacked you can change the dns from the servers IP to 127.0.0.1 and redirect the attackers to their own computer. The owner of the domain won't be happy, but either way the site isn't running. 40 ip's should be hard to block though.

[hostchamp]

where can i find a list of all IP blocks for russia so i can just do a iptables /8 blocking?

Quote:

Originally Posted by onthespot

if its coming from a whole netblock just block the whole /8 example if ips are on a 60.x.x.x just block 60.0.0.0/8 at the firewall.

Russia most likely only has a few /8s block em all?

[hostchamp]

I just have iptables which i use to block IPs.

If i have to block each IPs manually in APF then what is it's advantage over iptables?

Is there anyway if a IP hits my access_log x number of times in x number of miutes it gets blocked automatically for sometime?

Quote:

Originally Posted by wshost

If you don't have it already you should install APF firewall.

Then, just run: apf -d xxx.xxx.xxx.xxx

And the problem is solved, at least temporarily.

BFD works in conjunction with APF and is highly recommended also. While it wont auto block the http attacks, it will stop brute force attacks.

[page-zone]

/sbin/route add -host 217.160.208.134 reject

change that IP to an IP you want to block and it will be blocked until the next reboot.

Country blacklist
http://spamlinks.net/filter-bl.htm#ip-country

[page-zone]

Quote:

Originally Posted by hostchamp

Is there anyway if a IP hits my access_log x number of times in x number of miutes it gets blocked automatically for sometime?

Yes, if you have the connlimit module loaded. Someone else might have some sytax which would work. I don't.

Or google connlimit

[Techark]

http://www.deflate.medialayer.com/old/

[mwatkins]

Quote:

Originally Posted by hostchamp

mwatking pls post the syntax for this?

I don't read minds. What web server are you running? Apache? lighttpd? Cherokee? AOL? A custom Python or Ruby server?

Think logically; if you need to redirect a URL **pattern** then you'll need a tool which can do that.

For Apache 1.3.x and 2.x: mod_rewrite is one method.

http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html

I am also in agreement with adding a route for IP's or blocks if they fall within a block - reject the connection or route the return to localhost.

[tsj5j]

Quote:

Originally Posted by Techark

http://www.deflate.medialayer.com/old/

I highly recommend this.

It blocks people with X number of connections open to the server at the same time.
To fend off DDoS attacks, simply set this to a lower number (say 20).

Then do a mod_evasive on Apache, and set it to 1 to 5.

Browers usually obey this mod_evasive after a few timeouts, so they won't be banned with < 20 connections.
DDoSers however won't stop after a few timeouts and will result in >20 connections and get blocked by the APF.

[Cool Surfer]

How do I unblock server IP. Whom do I email or contact?