414 errors and IP ranges

Forum Moderators: DixonJones

Message Too Old, No Replies

414 errors and IP ranges

Bots trying buffer overruns from same IP range

washingtony

4:28 pm on Apr 23, 2004 (gmt 0)

I'm seeing a frequent amount of 414 errors in my logs from the 66. ip range. Up to five a day. Some nets are more persistent than others, like 66.130 and 66.131 - some have hit just one time and that's it. I'm not worried about the possibility of the overrun attempt working (this is a colo on a cobalt raq, sunos and apache with current patches) but I'm WAY tired of the log bloat; the URI request is always HUGE, at least 900 to 1500 characters. Anyone else seeing this and where the heck has this IP range been assigned? Are these all just zombie attacks?

tia- WT

ronburk

2:45 am on Apr 25, 2004 (gmt 0)

Anyone else seeing this and where the heck has this IP range been assigned? Are these all just zombie attacks?

Sure. Attacks trying to use the IIS WebDav exploit are currently thriving. Most likely just worms. The IP addresses your particular attacks come from are most likely just luck of the draw.

If you have sufficient control over your Apache configuration, you could (IIRC) filter this particular attack from your logs (assuming you're not actually using WebDav, which most people aren't). Use SetEnvIf to set an environment variable whenever the request method is "SEARCH" (I'm guessing about the specifics of your attack, but it's probably a good guess). Then, use a CustomLog statement that only logs requests when that environment variable is not set (see Apache docs for details).