*nix Software

Apache ddos

•

Join Date: Jan 2008

Posts: 8

Reputation: armend90 is an unknown quantity at this point

Solved Threads: 0

armend90

Offline

Newbie Poster

Apache ddos

Feb 25th, 2008

Hi,
Can anyone explain me how to defend from this attack type?

CSF firewall installed, Dos-deflate installed, and again lot of apache processes

88.233.53.100 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.235.13.14 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.229.215.146 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
85.106.189.35 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.252.155.246 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
85.108.124.1 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.233.53.100 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.226.149.225 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
78.166.58.95 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
78.167.193.154 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.241.234.16 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.252.156.36 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.228.71.122 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.240.205.51 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.231.168.63 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
78.167.71.2 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.231.32.190 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.228.30.110 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.240.205.51 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
78.167.71.2 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.235.13.14 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
81.215.152.40 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
85.104.35.67 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
81.215.152.40 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
78.165.159.246 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.252.155.246 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
78.166.58.95 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.242.244.121 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
85.104.35.67 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.240.205.51 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
78.166.30.163 - - [25/Feb/2008:10:15:48 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"

•

Join Date: Aug 2007

Posts: 165

Reputation: Fest3er is an unknown quantity at this point

Solved Threads: 18

Fest3er

Offline

Junior Poster

Re: Apache ddos

Mar 5th, 2008

One possible way would be to run a cron job every so often that:

fetches log entries with the offending requests from the previous interval
pipes the result to 'sed -e 's/ - -.*//'|sort|uniq -c|sort -r'
then feeds that result to a script that creates DROP rules for iptables.

You can set the interval as short or as long as you desire, depending on how long the attack lasts. You might find it useful to track which IP addrs you block in this manner so you can easily unblock them later on.

Granted, this is a brute-force method and it isn't necessarily that great, but it should be of some help.

Otherwise, investigate your firewall and see if there is a means of having it detect empty requests and dropping them on the floor. But such packet content inspection is likely to be a drain on system performance.