PHPBB Attack season back?

[hmm]

Hi,
I am noticing that for last couple days one of my servers is getting badly hit by PHPBB attacking bots. (around this time only)

This is what I found in error_logs

Code:

[Mon Apr 10 14:24:34 2006] [error] [client 216.3.129.52] mod_security: Access denied with code 403. Pattern match "(system|exec|passthru|cmd|fopen|exit|fwrite)" at THE_REQUEST [hostname "www.xxxxx.com"] [uri "/viewtopic.php?p=1461&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527"]

Mod_security is stopping it but the issue is, there are too many request like this in very short period of time..this causes mysql to behave abnormally and I have to restart apache and mysql to get rid of the problem...

Anyone with good solution / idea for this?

Thanks
Deep

[chirpy]

They ought not affect MySQL since they're being blocked from running the php script by mod_security.

Do you have any MySQL tuning implemented, especially a query cache? That might help. Also, reducing the KeepAlives in httpd.conf to 3 from 15 and restarting httpd might help when under attack.

[hmm]

Hi,
I will make the keepalives to 3.
My current query_cashe_size is 64MB..

Deep