mod_sec rules to drop this...

[chae]

Hi Yah,

Apache continually dying and error logs show this over & over again...

[error] [client 84.137.32.94] request failed: erroneous characters after protocol string: $MyNick galaxy1205|$Lock EXTENDEDPROTOCOLABCABCABCABCABCABC Pk=DCPLUSPLUS0.674ABCABC|
[Sun Nov 12 17:24:16 2006] [error] [client 84.137.32.94] request failed: erroneous characters after protocol string: $MyNick galaxy1205|$Lock EXTENDEDPROTOCOLABCABCABCABCABCABC Pk=DCPLUSPLUS0.674ABCABC|
[Sun Nov 12 17:24:16 2006] [error] [client 84.137.32.94] request failed: erroneous characters after protocol string: $MyNick galaxy1205|$Lock EXTENDEDPROTOCOLABCABCABCABCABCABC Pk=DCPLUSPLUS0.674ABCABC|
[Sun Nov 12 17:24:18 2006] [error] [client 83.27.85.210] request failed: erroneous characters after protocol string: $MyNick BOSS|$Lock EXTENDEDPROTOCOLABCABCABCABCABCABC Pk=DCPLUSPLUS0.698ABCABC|
[Sun Nov 12 17:24:18 2006] [error] [client 83.27.85.210] request failed: erroneous characters after protocol string: $MyNick BOSS|$Lock EXTENDEDPROTOCOLABCABCABCABCABCABC Pk=DCPLUSPLUS0.698ABCABC|
[Sun Nov 12 17:24:18 2006] [error] [client 83.27.85.210] request failed: erroneous characters after protocol string: $MyNick BOSS|$Lock EXTENDEDPROTOCOLABCABCABCABCABCABC Pk=DCPLUSPLUS0.698ABCABC|

All from different IP's etc etc. Had a search through Google for this and only one other post & nothing resolved for them. Has anyone got a mod_sec rule that would drop this ???
Have already increased the maxclient & dropped the timeout in httpd.conf to relieve the server a bit

Thanks in advance

Chae

 

[chae]

As a follow up to typing this the techsupport from the Datacentre where the servers are housed have basically said that they can't do anything their side to help...

"Unfortunately most networks don't implement solutions like TopLayer to prevent these kind of outbound attacks..." then they basically tell me that I can add the IP's into our firewall which of course doesn't help as they're (hundreds up hundreds) spoofed (sigh)

So now we've got a crippled server because of these requests

 

[ramprage]

Could you not add something like this with mod-security?

secfilter $MyNick

 

[IPSecureNetwork]

buddy you are under attack of botnets thats why the apache marks nicks like IRC .. coz that things are botnets hosted in one irc server to attack.

i recomend you some thing like mod security, mod_choke and mod_ddosevasive

i recomend you one idc with firewall like ipsecurenetwork.com or something like that .. to prevent DDoS attacks

 

[AndyReed]

or something like that .. to prevent DDoS attacks

If your server is under good DDoS attack, none would would stop it including APF, BFD, Mod security and Mod Evasive, or any other software-based firewall. You have to have hardware-based firewall such as Cisco Guard.