|
|
Apache log entries - DoS attack?
I'm running Redhat 9 with Apache 2.0.52. Lately I've been getting
entries such as the following in my access_log:
66.6.223.190 - - [05/Feb/2005:02:03:53 -0800] "GET / HTTP/1.1" 200 879
"http://www.xondemand.com/sex_video/porn_star/index.html?Porn-Star"
"Mozilla/5.0 (compatible; Konqueror/2.2.2; Linux 2.2.19; i686)"
66.6.223.190 - - [05/Feb/2005:02:03:53 -0800] "GET / HTTP/1.1" 200 879
"http://www.xondemand.com/sex_video/porn_star/index.html?Porn-Star"
"Mozilla/5.0 (compatible; Konqueror/2.2.2; Linux 2.2.19; i686)"
66.6.223.190 - - [05/Feb/2005:02:03:53 -0800] "GET / HTTP/1.1" 200 879
"http://www.xondemand.com/sex_video/porn_star/index.html?Porn-Star"
"Mozilla/5.0 (compatible; Konqueror/2.2.2; Linux 2.2.19; i686)"
The URL varies.
As a result my internet connection slows down to a crawl and I have to
shutdown Apache.
Anyone know the cause of this and how can I stop it?
|
|
0
|
|
|
|
Reply
|
 adiavr (3)
|
2/5/2005 9:37:03 AM |
|
adiavr@gmail.com wrote:
> I'm running Redhat 9 with Apache 2.0.52. Lately I've been getting
> entries such as the following in my access_log:
> 66.6.223.190 - - [05/Feb/2005:02:03:53 -0800] "GET / HTTP/1.1" 200 879
> "http://www.xondemand.com/sex_video/porn_star/index.html?Porn-Star"
> "Mozilla/5.0 (compatible; Konqueror/2.2.2; Linux 2.2.19; i686)"
> 66.6.223.190 - - [05/Feb/2005:02:03:53 -0800] "GET / HTTP/1.1" 200 879
> "http://www.xondemand.com/sex_video/porn_star/index.html?Porn-Star"
> "Mozilla/5.0 (compatible; Konqueror/2.2.2; Linux 2.2.19; i686)"
> 66.6.223.190 - - [05/Feb/2005:02:03:53 -0800] "GET / HTTP/1.1" 200 879
> "http://www.xondemand.com/sex_video/porn_star/index.html?Porn-Star"
> "Mozilla/5.0 (compatible; Konqueror/2.2.2; Linux 2.2.19; i686)"
>
> The URL varies.
> As a result my internet connection slows down to a crawl and I have to
> shutdown Apache.
> Anyone know the cause of this and how can I stop it?
Block the address in your firewall. You do run a firewall, don't you?
I had an attack from a user from Poland some weeks ago. The user tried to
download everything I had on my server, with 10-20 request per second. I
blocked the entire range from that ISP in my firewall. After a few minutes
nocking his head against my firewall, the attack stopped.
I notified the ISP that one of their user has attacked my site and that the
ISPs range will remain blocked until I got an answer from them... They are
stil blocked.
How many entries do you have in your log?
--
J�rn Dahl-Stamnes
http://www.dahl-stamnes.net/dahls/index.php
|
|
|
0
|
|
|
|
Reply
|
 newsmanDELETE (168)
|
2/5/2005 5:14:02 PM
|
|
I can block his IP from the firewall but I've looked into it and this
seems to be a pretty common attack known as referrer spam - which means
it won't stop him or someone else with a different IP address. I'd
like to get to the root of the problem.
There are hundreds of entries like this in my log spanning over the
last week.
I've kept Apache shutdown for a day and then started it and within
minutes he was back at it.
Awstats shows me:
Pages Hits Bandwidth
13498 13498 11.33 MB
|
|
|
0
|
|
|
|
Reply
|
adiavr (3)
|
2/5/2005 8:15:03 PM
|
|
|
2 Replies
56 Views
(page loaded in 0.128 seconds)
Similiar Articles: Syslog to monitor traffic - comp.dcom.sys.ciscoWhat I do is create an access-list and add "log" to ... facility syslog logging 10.1.1.5 ----- and I get entries ... cisco commands for checking for DOS attack - comp.dcom.sys ... strndup: RFC - comp.compilers.lcc(I'm thinking of possible Denial of Memory attacks.) > I ... The calling function(s) then write log entries to it, and ... Allocating Memory in DOS - comp.lang.asm.x86 MS-DOS ... w32tm DC error - comp.protocols.time.ntpI have set the registry entries exactly like described in ... the Windows Time Service. > > Look in the event log. ... you can use netstat -an |grep "123" from the DOS ... Sampling: What Nyquist Didn't Say, and What to Do About It - comp ...DR-DOS, their Linux, purchasing WP, purchasing VP, etc. And, losing the "DRAW!" ... his life back under > control when he died while out jogging from a heart attack ... Could anyone give me the spice-mode.el - comp.emacsHi, All I am new to *NIX and I am thinking of writing spice code under Emacs. However, I have no idea of Emacs Lisp. Hence, I could not write a packa... (Updated) Mitigation of Apache Range Header DoS Attack ...Update After deeper research into the underlying vulnerability and analyzing customer traffic, SpiderLabs has developed a new BETA ModSecurity ruleset to mitigate the ... Apache Logs Viewer | Denial of Service AttackDenial of Service attack and how Apache Logs Viewer can help ... For more information on DoS attacks visit Wikipedia. Using Apache Log Viewer. DoS attacks ... 7/28/2012 3:49:02 AM
|
|
|
|
|
|
|
|
|
Search |
Post Question |
Groups |
Stream |
About |
Register
18 followers. 