Thread: [mod-security-users] anyone saw this dos-ish attack + how to block

Brought to you by: victorhora, zimmerletw

mod-security-users

[mod-security-users] anyone saw this dos-ish attack + how to block

From: Hugh B. <hbe...@ya...> - 2005-06-24 22:24:10

I've been getting a lot of lines like this in my logs:

- 200.39.103.224 - - [24/Jun/2005:02:45:22 -0400] "-" 408 - "-" "-"
- 148.244.150.58 - - [24/Jun/2005:02:45:23 -0400] "-" 408 - "-" "-"
- 148.244.150.58 - - [24/Jun/2005:02:45:31 -0400] "-" 408 - "-" "-"
- 168.212.79.8 - - [24/Jun/2005:02:45:58 -0400] "-" 408 - "-" "-"

Anyone know a quick mod_security method to block these. I hate to just ask without any
research on my part but its causing some big problems on this particular server so I thought I
would fire off a quick message in case anyone has saw this before and has a solution.

Thanks!



		
____________________________________________________ 
Yahoo! Sports 
Rekindle the Rivalries. Sign up for Fantasy Football 
http://football.fantasysports.yahoo.com

Re: [mod-security-users] anyone saw this dos-ish attack + how to block

From: Ivan R. <iv...@we...> - 2005-06-24 22:48:22

Hugh Beaumont wrote:
> I've been getting a lot of lines like this in my logs:
> 
> - 200.39.103.224 - - [24/Jun/2005:02:45:22 -0400] "-" 408 - "-" "-"
> - 148.244.150.58 - - [24/Jun/2005:02:45:23 -0400] "-" 408 - "-" "-"
> - 148.244.150.58 - - [24/Jun/2005:02:45:31 -0400] "-" 408 - "-" "-"
> - 168.212.79.8 - - [24/Jun/2005:02:45:58 -0400] "-" 408 - "-" "-"
> 
> Anyone know a quick mod_security method to block these. I hate to just ask without any
> research on my part but its causing some big problems on this particular server so I thought I
> would fire off a quick message in case anyone has saw this before and has a solution.

   How many such requests per minute do you get?

   You won't be able to use mod_security for this purpose. But you could
   use blacklist: http://www.apachesecurity.net/tools/ You'll only need
   to write a Perl script that watches the access log and counts the
   number of 408 responses per IP address. Be careful, though, timeouts
   can happen during normal operation as well.

 > but its causing some big problems on this particular server

   You should also look into reducing the timeout value of the server.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

Re: [mod-security-users] anyone saw this dos-ish attack + how to block

From: Troy A. <tr...@ze...> - 2005-06-24 22:49:48

On Fri, Jun 24, 2005 at 03:23:59PM -0700, Hugh Beaumont wrote:
> I've been getting a lot of lines like this in my logs:
> 
> - 200.39.103.224 - - [24/Jun/2005:02:45:22 -0400] "-" 408 - "-" "-"
> - 148.244.150.58 - - [24/Jun/2005:02:45:23 -0400] "-" 408 - "-" "-"
> - 148.244.150.58 - - [24/Jun/2005:02:45:31 -0400] "-" 408 - "-" "-"
> - 168.212.79.8 - - [24/Jun/2005:02:45:58 -0400] "-" 408 - "-" "-"
> 
> Anyone know a quick mod_security method to block these. I hate to just
> ask without any
> research on my part but its causing some big problems on this
> particular server so I thought I
> would fire off a quick message in case anyone has saw this before and
> has a solution.

status code 408 is a request timeout.  The log entries above don't look
like a DOS attack, but rather the symptom of another problem with your
web server.  Perhaps the the server is overloaded?  You have some poorly
written script that makes the server work too hard ?  Just guesses, but
that's where I'd start looking.

-troy

Re: [mod-security-users] anyone saw this dos-ish attack + how to block

From: Tom A. <tan...@oa...> - 2005-06-25 02:19:00

Those IPs are all listed in URIBLs.  I run a script which identifies
such URLs in my email and inserts the tokens you see below.  Click on
the "rulesemporium.com" link to see which block lists these are
contained in.  (Oops, that site looks like it's down at the moment...
try spamhaus.org, opm.blitzed.org, or cbl.abuseat.org).  Looks like
those IPs are open proxies.  This is probably a worm attack on your
system.

Tom



On Fri, 2005-06-24 at 18:23, Hugh Beaumont wrote:
> I've been getting a lot of lines like this in my logs:
> 
> - 
>  
>  SPAM-ADDRESS: 200.39.103.224 
>  http://www.rulesemporium.com/cgi-bin/uribl.cgi?domain0=200.39.103.224&bl0=0
> 
>    - - [24/Jun/2005:02:45:22 -0400] "-" 408 - "-" "-"
> - 
>  
>  SPAM-ADDRESS: 148.244.150.58 
>  http://www.rulesemporium.com/cgi-bin/uribl.cgi?domain0=148.244.150.58&bl0=0
> 
>    - - [24/Jun/2005:02:45:23 -0400] "-" 408 - "-" "-"
> - 
>  
>  SPAM-ADDRESS: 148.244.150.58 
>  http://www.rulesemporium.com/cgi-bin/uribl.cgi?domain0=148.244.150.58&bl0=0
> 
>    - - [24/Jun/2005:02:45:31 -0400] "-" 408 - "-" "-"
> - 
>  
>  SPAM-ADDRESS: 168.212.79.8 
>  http://www.rulesemporium.com/cgi-bin/uribl.cgi?domain0=168.212.79.8&bl0=0
> 
>    - - [24/Jun/2005:02:45:58 -0400] "-" 408 - "-" "-"
> 
> Anyone know a quick mod_security method to block these. I hate to just ask without any
> research on my part but its causing some big problems on this particular server so I thought I
> would fire off a quick message in case anyone has saw this before and has a solution.
> 
> Thanks!
> 
> 
> 
> 		
> ____________________________________________________ 
> Yahoo! Sports 
> Rekindle the Rivalries. Sign up for Fantasy Football 
> http://football.fantasysports.yahoo.com
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users