# Problems with Apache being attacked?

## The_Bell

Hi all,

I'm having headaches those days because of a problem I am having with a dedicated server running Apache and other server typical apps. That server used to work perfeclty. We don't have too many clients and our machine could handle the load perfectly.

But this week some problems appeared. Suddently, it seems some sort of "bot" is continuously sending our server GET requests for URLs and domains that are not registered to our server IP. All requests seem to provide from the same IPs oi IP rangs, and all of them have the same "structure": they seem to be URLs trying to broke username and password systems from restricted websites or porn, newspapers, news webs, yahoo accounts and so on. Here's a little extract to have an idea of what I am talking about:

206.127.2.46 - - [17/Sep/2005:04:31:30 +0200] "CONNECT www.ticketmaster.com:443 HTTP/1.0" 200 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

220.113.1.45 - - [17/Sep/2005:04:31:30 +0200] "GET http://oz.valueclick.com/cycle?host=hs0289200&b=pagebuster.424&v=1.2.20&t=js HTTP/1.0" 200 457 "http://www.gamesplain.com/reviewsnew.php?id=411" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"

221.220.26.133 - - [17/Sep/2005:04:31:30 +0200] "GET http://a248.e.akamai.net/6/800/1128/1126547601/network.realmedia.com/RealMedia/ads/Creatives/OasDefault/BCN2005070140_03_VerisignRON_728/LBJ_728x90_247.gif HTTP/1.1" 200 12457 "http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/everyusb/728x90/ron/tch/ss/a@Top1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

81.231.177.20 - - [17/Sep/2005:04:31:30 +0200] "POST http://www.alteafad.it/logged_in HTTP/1.0" 200 20867 "http://archive.jessithekid.com/protect/index.html" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040206 Firefox/0.8"

70.85.97.226 - - [17/Sep/2005:04:31:30 +0200] "GET http://computercops.biz/check4915previous.html HTTP/1.0" 301 252 "http://emistry.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

68.228.50.123 - - [17/Sep/2005:04:31:30 +0200] "GET http://news.dirlist.org/js/js.js HTTP/1.0" 200 81 "http://news.dirlist.org/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

220.113.1.45 - - [17/Sep/2005:04:31:31 +0200] "GET http://oz.valueclick.com/jsmaster HTTP/1.0" 200 7220 "http://www.gigigame.com/sorts.php?id=8" "Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC)"

70.85.97.226 - - [17/Sep/2005:04:31:31 +0200] "GET http://arthurwendover.com/arthurs/collins/armdl10.html HTTP/1.0" 200 871387 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

222.208.183.2 - - [17/Sep/2005:04:31:31 +0200] "GET http://partner.search.sohu.com/cpc/partner.php?pid=ting98&type=14 HTTP/1.0" 200 6127 "http://www.98ting.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.3705)"

220.113.0.156 - - [17/Sep/2005:04:31:31 +0200] "GET http://networkcollect.realmedia.com/data/?if_nt_TimeZoneOffset=-240&Site=Carsworlds&CAT=automotive&L2CAT=automotive%20info&tax25_CookieAccept=Y&tax0_SiteID=1&if_nt_URL=http%3A//www.carsworlds.com/index.php HTTP/1.0" 200 125 "http://www.carsworlds.com/index.php" "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)"

222.47.13.195 - - [17/Sep/2005:04:31:31 +0200] "GET http://images.trafficmp.com/tmpad/content/space.gif HTTP/1.0" 200 43 "http://cache.trafficmp.com/tmpad/content/webclients/louisvuitton/0705/Popunder%20(720x300)_2005725143344.htm" "Mozilla/4.76 [en] (Win98; U)"

219.134.246.181 - - [17/Sep/2005:04:31:31 +0200] "GET http://search.revenuepilot.com/servlet/search?id=14245&keyword=trade%20show%20display HTTP/1.0" 200 5830 "http://www.havesearch.com/cgi-bin/smartsearch.com" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.2)"

66.167.131.17 - - [17/Sep/2005:04:31:31 +0200] "GET http://l24.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=DEMENTED1_1999&passwd=adam HTTP/1.0" 500 824 "-" "-"

83.112.104.59 - - [17/Sep/2005:04:31:31 +0200] "GET http://espace.netavenir.com/diffusion/?psid=370&inhead=0&TS=1126956711250&305693183&cookie_affected=yes HTTP/1.0" 200 1335 "http://www.spot-bourse.com/promobenef.php" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 9 :Cool: "

70.85.97.226 - - [17/Sep/2005:04:31:31 +0200] "GET http://www.digitalmars.com/d/overview.html HTTP/1.0" 200 8428 "http://play-texas-holdem.gameday.de" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

83.112.108.139 - - [17/Sep/2005:04:31:31 +0200] "GET http://www.mesregies.com/promobenef.php HTTP/1.0" 200 123 "http://www.spot-bourse.com/REGIE_PUB/REGIE.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

221.232.69.81 - - [17/Sep/2005:04:31:32 +0200] "GET http://public.win4win.com/search.asp?action=newsearch&target=Results</A HTTP/1.0" 200 19343 "http://www.storeoffishing.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0)"

70.85.97.226 - - [17/Sep/2005:04:31:32 +0200] "GET http://faorafine.pitas.com/29_08_2001.html HTTP/1.0" 200 11333 "http://emistry.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

220.113.0.156 - - [17/Sep/2005:04:31:32 +0200] "GET http://network.realmedia.com/RealMedia/ads/adstream_jx.ads/carsworlds/160x600/ron/autmen/ss/a@x10 HTTP/1.0" 200 1589 "http://www.carsworlds.com/index.php" "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)"

84.4.28.111 - - [17/Sep/2005:04:31:32 +0200] "GET http://members.allstarporngirls.com/ HTTP/1.0" 401 111 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040206 Firefox/0.8"

70.85.97.226 - - [17/Sep/2005:04:31:32 +0200] "GET http://castlecops.com/check4915previous.html HTTP/1.0" 200 3561 "http://emistry.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

220.113.1.56 - - [17/Sep/2005:04:31:32 +0200] "GET http://network.realmedia.com/RealMedia/ads/adstream_jx.ads/travelurl/300x250/ron/trv/ss/a@x15 HTTP/1.0" 200 1487 "http://www.travelurl.com/832.shtml" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; Win32)"

221.232.69.81 - - [17/Sep/2005:04:31:33 +0200] "GET http://partners.mygeek.com/search.jsp?partnerid=98880&query=web%20pages&ip=207.150.164.30 HTTP/1.0" 502 653 "-" "LWP::Simple/5.79"

220.113.1.45 - - [17/Sep/2005:04:31:33 +0200] "GET http://oz.valueclick.com/cycle?host=hs0289104&b=pagebuster.544&v=1.2.20&t=js HTTP/1.0" 200 6282 "http://www.gigigame.com/sorts.php?id=8" "Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC)"

60.179.102.76 - - [17/Sep/2005:04:31:33 +0200] "GET http://partners.mygeek.com/presults.jsp?partnerid=98977&vendorId=82212&type=5&code=1&rate=483362362&cr=483362362&domain=www.redzip.com&query=1126956571333%3A%3A207.150.164.30%3A%3AColocation&url=http%3A%2F%2Fwww.redzip.com%2Findex.php%3Ftpid%3D10206%26ttid%3D100%26st%3DColocation%26tspid%3D98977 HTTP/1.1" 502 1133 "http://www.travelots.net" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.3705)"

84.175.26.88 - - [17/Sep/2005:04:31:33 +0200] "GET http://62.159.82.27:80/MCUpdateCMS/updatefiles/ip.php HTTP/1.1" 200 60 "-" "Mozilla/3.0 (compatible; Indy Library)"

220.170.213.217 - - [17/Sep/2005:04:31:33 +0200] "GET http://www.fantasyclicks.com/adds/bannerz/el_banner_add_005.jpg HTTP/1.0" 200 11324 "http://www.pc-123.net" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

222.208.183.2 - - [17/Sep/2005:04:31:33 +0200] "GET http://log.cpc.sohu.com:90/?pv.png HTTP/1.0" 200 3 "http://partner.search.sohu.com/cpc/partner.php?pid=ting98&type=14" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.3705)"

I would not care having SOME of those requests from bots, but if I tail the access.log I can see the requests are done at a very high rate. The consequences: the apache server performance has dropped a lot. When I try to access a web page in our server it is served by "chunks". I mean, it loads 20%, then it gets stuck for a few seconds, then 50%, then stucked for a few seconds, and so on. This is being a serious problem because we cannot offer a good web service. Other services are being affected too, I suppose because of a lot of apache processes are consuming most part of CPU time.

Here's what I get running a 'ps' command to see how apache is working:

server:~# ps -A | grep apache | wc -l

102

102 apache processes to be able to handle this flood of requests we're having from "I don't know where". It is obvious that this can no longer continue or the service will drop more and more.

I was wondering if someone has been in a similar situation and know if this is a common "server attack" or something. I would appreciate too if someone can come up with a solution to try preventing this from happening now and in the future. I was thinking about looking for some kind pf apache log analizer that can detect those kind of attacks, and try to find the IP rangs and ban them through ipchains. But I have never done this and I'm not sure on how to proceed in the good direction.

Thanks, and excuse me for my poor english.

----------

## adaptr

It's a standard DDoS attack, seeing as it comes from different IPs.

Or a ddos attack trying to use your site to perform a ddos attack, which much of the same results.

Block the IP's, or better yet - the ranges, as they will most likely be dynamic ranges.

A simple iptables rule should do it, or you can tell apache itself to refuse requests from those IPs.

----------

## wjholden

I agree with the last poster, you'd do well to block the most troublesome IPs.

grep piped to wc -l is great for finding such hostile hosts, but you might find AWStats useful as well since it'll elaborate on error codes.

It might also be time to consider adding some RAM to the machine.  It's not a good solution, but if this is an important website $50 might be the difference between an overloaded webserver and a crashed webserver.  Use the 'uptime' and 'top' commands to see what your load average is; if it's over 4 you're in trouble.  My poor box almost made it to 500 last summer.

----------

## jamapii

If you worry about blocking legitimate requests, you can DNAT the offendinig IP ranges to a different box that will act as a proxy to the primary box - only for legitimate requests.

----------

