My server is apparently being victimized by a low-intensity DDoS attack. The machine doesn't appear to be affected performance-wise, except the logs are growing out of control.
We are getting about one hit per second on the "main" (but content-free) site on the server.
The Apache access_log looks like this:
189.35.22.188 - - [13/Aug/2009:11:04:02 -0500] srv04.xxxxx.xxx "GET /velho/arqcfg.jpg HTTP/1.1" 403 499
189.35.22.188 - - [13/Aug/2009:11:04:02 -0500] srv04.xxxxx.xxx "GET /velho/arqcfg.jpg HTTP/1.1" 403 499
189.35.22.188 - - [13/Aug/2009:11:04:03 -0500] srv04.xxxxx.xxx "GET /velho/arqcfg.jpg HTTP/1.1" 403 499
189.35.22.188 - - [13/Aug/2009:11:04:03 -0500] srv04.xxxxx.xxx"GET /velho/arqcfg.jpg HTTP/1.1" 403 499
189.72.193.204 - - [13/Aug/2009:11:04:09 -0500] srv04.xxxxx.xxx "GET /velho/updcfg.jpg HTTP/1.1" 403 499
189.72.193.204 - - [13/Aug/2009:11:04:09 -0500] srv04.xxxxx.xxx "GET /velho/updcfg.jpg HTTP/1.1" 403 499
189.72.193.204 - - [13/Aug/2009:11:04:09 -0500] srv04.xxxxx.xxx "GET /velho/updcfg.jpg HTTP/1.1" 403 499
189.72.193.204 - - [13/Aug/2009:11:04:10 -0500] srv04.xxxxx.xxx "GET /velho/updcfg.jpg HTTP/1.1" 403 499
and there are corresponding entries in error_log showing "Permission denied" since those directories and files do not exist. The source IPs rotate frequently, most all of them trace back to Brazil, and they appear to be IPs assigned by ISPs for home internet access.
Any ideas on how to dump this garbage traffic easily? I can null route the IPs by hand, but I was hoping for something that would do it a little more efficiently, maybe based on an IP performing a GET for those files, which don't exist.
Full Version: Low-intensity DDoS attack?
QUOTE (zubuz @ Aug 13 2009, 11:34 AM) 
My server is apparently being victimized by a low-intensity DDoS attack. The machine doesn't appear to be affected performance-wise, except the logs are growing out of control.
We are getting about one hit per second on the "main" (but content-free) site on the server.
The Apache access_log looks like this:
189.35.22.188 - - [13/Aug/2009:11:04:02 -0500] srv04.xxxxx.xxx "GET /velho/arqcfg.jpg HTTP/1.1" 403 499
189.35.22.188 - - [13/Aug/2009:11:04:02 -0500] srv04.xxxxx.xxx "GET /velho/arqcfg.jpg HTTP/1.1" 403 499
189.35.22.188 - - [13/Aug/2009:11:04:03 -0500] srv04.xxxxx.xxx "GET /velho/arqcfg.jpg HTTP/1.1" 403 499
189.35.22.188 - - [13/Aug/2009:11:04:03 -0500] srv04.xxxxx.xxx"GET /velho/arqcfg.jpg HTTP/1.1" 403 499
189.72.193.204 - - [13/Aug/2009:11:04:09 -0500] srv04.xxxxx.xxx "GET /velho/updcfg.jpg HTTP/1.1" 403 499
189.72.193.204 - - [13/Aug/2009:11:04:09 -0500] srv04.xxxxx.xxx "GET /velho/updcfg.jpg HTTP/1.1" 403 499
189.72.193.204 - - [13/Aug/2009:11:04:09 -0500] srv04.xxxxx.xxx "GET /velho/updcfg.jpg HTTP/1.1" 403 499
189.72.193.204 - - [13/Aug/2009:11:04:10 -0500] srv04.xxxxx.xxx "GET /velho/updcfg.jpg HTTP/1.1" 403 499
and there are corresponding entries in error_log showing "Permission denied" since those directories and files do not exist. The source IPs rotate frequently, most all of them trace back to Brazil, and they appear to be IPs assigned by ISPs for home internet access.
Any ideas on how to dump this garbage traffic easily? I can null route the IPs by hand, but I was hoping for something that would do it a little more efficiently, maybe based on an IP performing a GET for those files, which don't exist.
We are getting about one hit per second on the "main" (but content-free) site on the server.
The Apache access_log looks like this:
189.35.22.188 - - [13/Aug/2009:11:04:02 -0500] srv04.xxxxx.xxx "GET /velho/arqcfg.jpg HTTP/1.1" 403 499
189.35.22.188 - - [13/Aug/2009:11:04:02 -0500] srv04.xxxxx.xxx "GET /velho/arqcfg.jpg HTTP/1.1" 403 499
189.35.22.188 - - [13/Aug/2009:11:04:03 -0500] srv04.xxxxx.xxx "GET /velho/arqcfg.jpg HTTP/1.1" 403 499
189.35.22.188 - - [13/Aug/2009:11:04:03 -0500] srv04.xxxxx.xxx"GET /velho/arqcfg.jpg HTTP/1.1" 403 499
189.72.193.204 - - [13/Aug/2009:11:04:09 -0500] srv04.xxxxx.xxx "GET /velho/updcfg.jpg HTTP/1.1" 403 499
189.72.193.204 - - [13/Aug/2009:11:04:09 -0500] srv04.xxxxx.xxx "GET /velho/updcfg.jpg HTTP/1.1" 403 499
189.72.193.204 - - [13/Aug/2009:11:04:09 -0500] srv04.xxxxx.xxx "GET /velho/updcfg.jpg HTTP/1.1" 403 499
189.72.193.204 - - [13/Aug/2009:11:04:10 -0500] srv04.xxxxx.xxx "GET /velho/updcfg.jpg HTTP/1.1" 403 499
and there are corresponding entries in error_log showing "Permission denied" since those directories and files do not exist. The source IPs rotate frequently, most all of them trace back to Brazil, and they appear to be IPs assigned by ISPs for home internet access.
Any ideas on how to dump this garbage traffic easily? I can null route the IPs by hand, but I was hoping for something that would do it a little more efficiently, maybe based on an IP performing a GET for those files, which don't exist.
It doesn't look like it's targeted directly at your site. Googling updcfg.jpg brought up some information about a couple worms running around, commonly in Brazil(Porto Velho is actually a state capitol). http://www.threatexpert.com/report.aspx?md...939a48a7b9cbff6 There' not a whole lot of information on how the worm works though.
You should be safe dropping these requests with a firewall.
QUOTE (zubuz @ Aug 13 2009, 04:34 PM)
The source IPs rotate frequently, most all of them trace back to Brazil, and they appear to be IPs assigned by ISPs for home internet access.
Any ideas on how to dump this garbage traffic easily? I can null route the IPs by hand, but I was hoping for something that would do it a little more efficiently, maybe based on an IP performing a GET for those files, which don't exist.
Any ideas on how to dump this garbage traffic easily? I can null route the IPs by hand, but I was hoping for something that would do it a little more efficiently, maybe based on an IP performing a GET for those files, which don't exist.
If you are using apf, this may work.
PLEASE NOTE THAT THIS IS OFF THE TOP OF MY HEAD AND MAY NOT WORK AS IS
TRY AT YOUR OWN RISK
In your httpd.conf
RewriteCond %{REQUEST_URI} /velho/updcfg.jpg
RewriteRule /*/path to your apf/apf\ \-d\ \%{REMOTE_ADDR} [L]
RewriteRule /*/path to your apf/apf\ \-d\ \%{REMOTE_ADDR} sends the command to block the IP address to the firewall. the -d is a switch for APF. You could modify the rule to use iptables or ipfw, etc and change the switches approriately
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.