0

Hi,
Can anyone explain me how to defend from this attack type?

CSF firewall installed, Dos-deflate installed, and again lot of apache processes

88.233.53.100 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.235.13.14 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.229.215.146 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
85.106.189.35 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.252.155.246 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
85.108.124.1 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.233.53.100 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.226.149.225 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
78.166.58.95 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
78.167.193.154 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.241.234.16 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.252.156.36 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.228.71.122 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.240.205.51 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.231.168.63 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
78.167.71.2 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.231.32.190 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.228.30.110 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.240.205.51 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
78.167.71.2 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.235.13.14 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
81.215.152.40 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
85.104.35.67 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
81.215.152.40 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
78.165.159.246 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.252.155.246 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
78.166.58.95 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.242.244.121 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
85.104.35.67 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
88.240.205.51 - - [25/Feb/2008:10:15:53 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"
78.166.30.163 - - [25/Feb/2008:10:15:48 -0600] "GET / HTTP/1.1" 200 10792 "-" "-"

2
Contributors
1
Reply
2
Views
9 Years
Discussion Span
Last Post by Fest3er
0

One possible way would be to run a cron job every so often that:

  • fetches log entries with the offending requests from the previous interval
  • pipes the result to 'sed -e 's/ - -.*//'|sort|uniq -c|sort -r'
  • then feeds that result to a script that creates DROP rules for iptables.

You can set the interval as short or as long as you desire, depending on how long the attack lasts. You might find it useful to track which IP addrs you block in this manner so you can easily unblock them later on.

Granted, this is a brute-force method and it isn't necessarily that great, but it should be of some help.

Otherwise, investigate your firewall and see if there is a means of having it detect empty requests and dropping them on the floor. But such packet content inspection is likely to be a drain on system performance.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.