Apache keeps crashing - Ton of "READING" requests

[Coight]

Looks like a new variant again, we are getting attacked again

[Stream]

Same thing here. New attack it seems - slows server down a lot even with Timeout set to 10, and apache restarts every 30-60 minutes atm.

[gemby]

Yep, same here, but now lowering values does nothing this time :-(

[kris1351]

We are seeing one server that is getting attacked again like this. The mod_sec rules and .htaccess workarounds are not working on this one so far. Another fun week.

[Earendil]

anyone ever figure this out ?

[Stream]

Seems these "attacks" just disappear after a while...

[jeroman8]

Anyone still having these attacks ?

I have - removed the 2 accounst being attacked and its ok now.
Not for the clients but for me :-)

In logs it say xoxoxoxo or **************** you as user agents.

Server load about 600 and then it's dead.

[nat]

Anyone still having these attacks ?

I have - removed the 2 accounst being attacked and its ok now.
Not for the clients but for me :-)

In logs it say xoxoxoxo or **************** you as user agents.

Server load about 600 and then it's dead.

If apache-status shows an IP instead of a ?, you may want to try http://www.nuclearelephant.com/projects/dosevasive/

Also, if the user agent is "xoxoxoxo" and "**************** you" you may want to try adding the following in a .htaccess file in the users directory:

SetEnvIfNoCase User-Agent "^xoxoxoxo" deny
SetEnvIfNoCase User-Agent "^****************" deny
<Limit GET POST PUT>
Order allow,deny
allow from all
deny from env=deny
</Limit>

[vishwas]

Same problem for me aswell cant block number of IP's

any fix. ??

[bhznat]

I have same problem here, a LT server.

Does any one found a solution for this issue?...

[djblamire]

Anyone have a solution to this ?

Thanks
Daniel

[thewishbone]

Any solution? FDC SERVERS ARE TTACAKED.....

And?

[AndyReed]

Any solution? FDC SERVERS ARE TTACAKED.....

If your DC doesn't have the mechanism or capabilities to protect your server against malware, DDoS/DoS, viruses, etc. I suggest you find a different company.

[thewishbone]

Well, resolved , with a trick but i wish that help you guys, seem that all we have to ask to our DC to resolve this.
Go to : http://fixingtheweb.com/country/blockdoc.html
And install this tool, (works perfect and resolve the issue while cpanel resolve it)
The attack (because is a DDOS (write in anyway) attack) comes from an specific country, in my case from TURKEY.
With the tool check the ip range for the ip attack, and write this to BLOCK all this range:

iptables -t nat -I PREROUTING -m iprange --src-range xxx.x.x.x-xxx.xx.xxx.xxx -j DROP

This will block ALL THE IPS from this range, belong sure from your attacker.

Do the same with all ips from atttacker.

And thats all.

When Cpanel resolve the issue, you can unblock all the ips range.

Now my load is fine, any http load.

I wish this help you guys. And please dont use this to get money from anybody.

And sorry if my english isnt the best.

And about my servers company FDCSERVERS, they are doing the best, like LT, ServerMatrix, etc.

[cmeisinger]

Turn off KeepAlive in the httpd.conf and restart apache.

Essentially what the Keepalive does is when a client makes a connection to your webserver, apache sends them the content it requested. At this time, the KeepAlive var is brought into play. If it's active, and has timeout set to it, then it'll maintain a connection with the client for the specified duration, then close up when time expires.

Normally, this is a good thing, it's a much more efficient than spawning a new connection everytime a request is made.

Now, factor that in with a ton of requests from owned boxes scanning for vulnerable PHP scripts, and you've got easliy hundreds of unique ips hitting your server and apache maintaining each of those connections for 10 seconds (300 in the default httpd.conf I believe). You can see how it runs through the MaxClients setting pretty quickly now.

Turning off keepalive in the httpd.conf will go a long way towards mitigating this activity and you can turn it back on later should you like.

I'd also suggest kicking up the MaxClients setting as well. This number will vary based on the hardware but for this case, 3-400 shouldn't be a problem. You've gotta figure that in this instance, you're not trying to compensate for normal traffic. These scanners aren't pulling images and content, just doing random posts and seeing what bites.

You can't stop them with iptables rules as the ips will be way to varied to be effective. I go with the policy of getting the garbage traffic in and out as fast as possible. Once you get scanned by a host, it's done with your server and moves on, no point in keeping it around longer than is necessary.

mod_security would be nice to have setup in this instance, just for helping to make sure that none of the scanners actually exploit what they're trying to.

Chris Meisinger
wingsix.com