DoS Attack - What Is Going On? - Webmaster General forum at WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

DoS Attack - What Is Going On?

l008comm

11:01 am on Mar 4, 2008 (gmt 0)

OK so for the past 3 or 4 months, my server has been under a DoS attack. At it's peak, I was getting 1000 hits per second. This is a very specific kind of attack though. They are simply loading my site's homepage. Its very strange. IPs will come online, hit me for a while, then go away. I have currently firewalled well over 100 IPs. Anyone have any ideas what this is all about?

The user Agent is always one of 4:
Java/1.6.0_01
Java/1.6.0_02
Java/1.6.0_03
And one very specific french version of Firefox

[edited by: phranque at 12:37 pm (utc) on Mar. 5, 2008]
[edit reason] IPs removed. See TOS [webmasterworld.com] [/edit]

SteveWh

1:00 pm on Mar 4, 2008 (gmt 0)

Are they requesting the home page with various weird URLs in the query string? Those would be RFI attempts.

Or it could be referrer spam: trying to make enough requests to get to the top of your referring sites list (and thus create a linkback to their sites), if you publish your site stats publicly. They wouldn't know or care if you publish the stats; it's automated, so they can just hit a lot of sites with a lot of requests and hope some of them will have an effect.

But really, for either of those, 1000 per second is an awful lot, and RFI attacks are usually more creative than hitting the same page over and over.

I've had some similar situations (nowhere near that many hits, though) where I figured it was someone trying unsuccessfully to learn how to use wget, or someone trying to write their own crawler and it went haywire for a while, unattended.

l008comm

6:28 pm on Mar 4, 2008 (gmt 0)

There is actually no referrer, and no funny GET stuff, just simple homepage loading. And look at the similarity of the IPs too. When I get a new IP from my ISP, its not in the same subnet, its usually only the first number thats the same. Strange.

SteveWh

3:34 pm on Mar 5, 2008 (gmt 0)

Oops, I see the IPs are removed. I got curious and came back to try to check some of them out.

Do a WhoIs search on some of the IPs. See if the ones that are close together are related, such as at the same hosting co.

Also see if you can find any relationship among the ones that aren't close together.

If they trace to websites rather than ISP's, they might be hacked sites that have been taken over to work as malicious crawlers. I'd guess it's a botnet.

Maybe check some of them to see if they are "badware-flagged" in Google.

Basically, all that is just if you're still curious about what's going on and want to check into it further.

Java is some sort of crawler application like wget. I've never seen it used legitimately, so if you get tired of adding IPs to the firewall, the easiest way to reduce your bandwidth consumption by these is to block requests where the U-A contains Java.

appi2

3:51 pm on Mar 5, 2008 (gmt 0)

Quick cut n paste from my htaccess file

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^Java.*$
RewriteRule .* -[F]

l008comm

8:50 pm on Mar 5, 2008 (gmt 0)

I already have multiple systems in place to make sure these people get 403s, but even 403 pages add up when you're getting 40 of them a second (or more).

Another idea I had was that, maybe some programming newbie made an "app that tells you your IP", and it does this just buy loading my site (its one of those whats my ip sites) over and over. So maybe the IPs are just regular users who don't realize they are using super #*$!ty software. However I haven't seen anything like this so who knows.

venti

10:42 pm on Mar 6, 2008 (gmt 0)

We have had similar problems. We have a algorithm to detect these types of requests which when triggered will add the IPs to the server's local security policy which prevents them from even reaching the web server. The algorithm also sets up a schedule task to remove the block after a certain number of hours. There are different levels of severity to manage repeat offenders.

Works very well.

venti

10:48 pm on Mar 6, 2008 (gmt 0)

If french traffic is expendable, you may try a geoip database that looks up the requesting IPs country and then block if it is france.

l008comm

10:57 pm on Mar 6, 2008 (gmt 0)

I suspect that the IP's themselves are not french, only the firefox user agent. Also it might be german not french. The Java based UA's are much much more common.

Also I believe when this started, I looked up many of the IPs and they were coming from all over the world.

The IP i JUST firewalled a sec ago was from peru. just looked up another at random, from canada. Hers a group from new zealand. And another from the netherlands. So I don't think blocking by local is going to work. If it is a 'freeware', I need to find it and get it pulled (since it doesn't work anyway, it gets nothing but 403). If its an attack, its not doing any harm but making my access logs huge and being extremely annoying.

l008comm

7:44 am on Apr 19, 2008 (gmt 0)

BTW this is still going on. I've just been watching my logs in Server Admin and firewalling up a storm. I probably have 1000 IPs firewalled. At this point its totally under control. But I still try to check it daily and add any of these 'bots' to the firewall.

OS X Server it turns out does have this adaptive firewall that could be great if I could figure out how to access it myself. I could have php send it these IPs and it would automatically block them for 15 minutes then remove them. Then if they're still at it, block them again :-)

Meanwhile I still never figured out where these hits are coming from. I'm assuming its some crappy java app that "tells you your IP". I can't think of anything else, but I also haven't seen anything solid. And it strange that the hits still come, even though they don't get anything. Even before I firewall them, they are getting nothing but 403 pages. Strange stuff. Oh well.