Especific HTTP Atack - how to stop it?

**IRCBrasil** · 03-16-2006 03:36 PM

Hi,

Look this messages on my /etc/httpd/logs/access_log

/etc/httpd/logs/access_log:201.58.101.80 - - [16/Mar/2006:17:20:12 -0300] "-" 408 -
/etc/httpd/logs/access_log:201.58.101.80 - - [16/Mar/2006:17:20:12 -0300] "-" 408 -
/etc/httpd/logs/access_log:201.58.101.80 - - [16/Mar/2006:17:20:12 -0300] "-" 408 -
/etc/httpd/logs/access_log:201.58.101.80 - - [16/Mar/2006:17:20:12 -0300] "-" 408 -
/etc/httpd/logs/access_log:201.58.101.80 - - [16/Mar/2006:17:20:12 -0300] "-" 408 -
/etc/httpd/logs/access_log:201.58.101.80 - - [16/Mar/2006:17:20:12 -0300] "-" 408 -
/etc/httpd/logs/access_log:201.58.101.80 - - [16/Mar/2006:17:20:12 -0300] "-" 408 -
/etc/httpd/logs/access_log:201.58.101.80 - - [16/Mar/2006:17:20:12 -0300] "-" 408 -
/etc/httpd/logs/access_log:201.58.101.80 - - [16/Mar/2006:17:20:12 -0300] "-" 408 -
/etc/httpd/logs/access_log:201.58.101.80 - - [16/Mar/2006:17:20:12 -0300] "-" 408 -
/etc/httpd/logs/access_log:201.58.101.80 - - [16/Mar/2006:17:20:13 -0300] "-" 408 -
/etc/httpd/logs/access_log:201.58.101.80 - - [16/Mar/2006:17:20:13 -0300] "-" 408 -
/etc/httpd/logs/access_log:201.58.101.80 - - [16/Mar/2006:17:20:13 -0300] "-" 408 -
/etc/httpd/logs/access_log:201.58.101.80 - - [16/Mar/2006:17:20:13 -0300] "-" 408 -

There are thousands of this, and when i block it, begin with another ip.

Before i did a netstat -anp |grep 'tcp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n and i found 1600 conections by this ip. I have modsecurity and libsafe installed, but they are not helping very well.

Some one could give-me some sugestions how to stop this kind of atack?

thanks

**AndyReed** · 03-16-2006 04:26 PM

Originally Posted by IRCBrasil

Look this messages on my /etc/httpd/logs/access_log

There are thousands of this, and when i block it, begin with another ip.

Before i did a netstat -anp |grep 'tcp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n and i found 1600 conections by this ip. I have modsecurity and libsafe installed, but they are not helping very well.

Some one could give-me some sugestions how to stop this kind of atack?

With 1,600 concurrent connections, you are under a nasty DDoS attack. Have you tried, although I don't believe they would make big difference, APF and BFD? I also suggest installing Mod Evasive, and Tripwire. Did you harden your server? Also make sure you don't have bad or insecure Php files?

**fred123123** · 03-16-2006 04:49 PM

You should contact your provider ( Datacenter probably ), they probably know how to help you with this...

**konrath** · 03-25-2006 12:13 PM

Originally Posted by IRCBrasil

Hi,

Look this messages on my /etc/httpd/logs/access_log

There are thousands of this, and when i block it, begin with another ip.

Before i did a netstat -anp |grep 'tcp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n and i found 1600 conections by this ip. I have modsecurity and libsafe installed, but they are not helping very well.

Some one could give-me some sugestions how to stop this kind of atack?

thanks

You have DDOS instaled?

# wget http://www.inetbase.com/scripts/ddos/install.ddos
# sh install.ddos

**maximus_marcus** · 03-26-2006 07:51 PM

Hello,

It can be stopped only the Data center by which they will nullroute the main shared Ip for some time still this stops.

Regards,
Marcus
The New Phase Of Support

LinkBack

Thread Tools

Especific HTTP Atack - how to stop it?

WHM ¿Block mails from especific domain?

Help with BFD rule to stop multiple http requests

A BIG SPAMMER ATACK - help

Server used by atack

This Is A Spammer Atack ?