Results 1 to 7 of 7

Thread: Apache ddos

  1. #1

    Apache ddos

    Hi,
    Can anyone explain me how to defend from this attack type?

    CSF firewall installed, Dos-deflate installed, and again lot of apache processes

    ------------------

    88.233.53.100 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
    88.235.13.14 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
    88.229.215.146 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
    85.106.189.35 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
    88.252.155.246 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
    85.108.124.1 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
    88.233.53.100 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
    88.226.149.225 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
    78.166.58.95 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
    78.167.193.154 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
    88.241.234.16 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
    88.252.156.36 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
    88.228.71.122 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
    88.240.205.51 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
    88.231.168.63 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
    78.167.71.2 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
    88.231.32.190 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
    88.228.30.110 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
    88.240.205.51 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
    78.167.71.2 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
    88.235.13.14 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
    81.215.152.40 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
    85.104.35.67 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
    81.215.152.40 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
    78.165.159.246 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
    88.252.155.246 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
    78.166.58.95 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
    88.242.244.121 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
    85.104.35.67 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
    88.240.205.51 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
    78.166.30.163 - - [25/Feb/2008:10:15:48 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"

  2. #2
    Join Date
    Nov 2005
    Location
    Michigan, USA
    Posts
    3,872
    Are you sure it's an attack? They look to be all different IP's.


  3. #3
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,910
    Quote Originally Posted by devonblzx View Post
    Are you sure it's an attack? They look to be all different IP's.
    Most DDoS attacks use different source IP addresses, hence why it's called a "Distributed Denial of Service" attack.
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  4. #4
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,910
    Quote Originally Posted by Edinj View Post
    Can anyone explain me how to defend from this attack type?
    If you're constantly under a DDoS attack, a provider that specializes in filtering malicious GET requests would be best... but looking at the IP addresses they all belong to TurkTelekom (Turkey) and you could easily block their network's using CIDR notation within your firewall.

    Example:
    88.224.0.0/11

    I'm probably off by one or two, but that will block everything between 88.224.0.0 and 88.254.0.0 (TurkTelekom)...
    Last edited by Patrick; 02-25-2008 at 01:32 PM.
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  5. #5
    yeah, definitely looks like a ddos attack, the ips are on roughly the same ranges. Your best bet is to block the range as Pat stated above, and hope that he doesnt have friends with bots on different ranges.

    maybe another idea would be to look at the http headers they send, and redirect to a script that blocks its class c based on them.

  6. #6
    Looks like your being hit with a http get attack, which is a type of ddos attack. Effective attack because it requires very few bots to overload apache with get requests and drive up the cpu load on the server making it none responsive.

    As others have said, your best bet is to block the ips and maybe some subnets. Sometimes with these type of attacks the requests have custom headers that make it possible to easily identify bad requests from good requests. I made a perl script on my server that looked at the logs for these bad requests and then blocked the IP on the firewall. This is effective unless you get attacks that use headers that are legit, which the majority now do, from what I've seen.

  7. #7
    ompp:

    can you paste that script here?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •