mod_sec rules to drop this...

chae

Well-Known Member
Apr 19, 2003
145
0
166
Auckland, New Zealand
Hi Yah,

Apache continually dying and error logs show this over & over again...

[error] [client 84.137.32.94] request failed: erroneous characters after protocol string: $MyNick galaxy1205|$Lock EXTENDEDPROTOCOLABCABCABCABCABCABC Pk=DCPLUSPLUS0.674ABCABC|
[Sun Nov 12 17:24:16 2006] [error] [client 84.137.32.94] request failed: erroneous characters after protocol string: $MyNick galaxy1205|$Lock EXTENDEDPROTOCOLABCABCABCABCABCABC Pk=DCPLUSPLUS0.674ABCABC|
[Sun Nov 12 17:24:16 2006] [error] [client 84.137.32.94] request failed: erroneous characters after protocol string: $MyNick galaxy1205|$Lock EXTENDEDPROTOCOLABCABCABCABCABCABC Pk=DCPLUSPLUS0.674ABCABC|
[Sun Nov 12 17:24:18 2006] [error] [client 83.27.85.210] request failed: erroneous characters after protocol string: $MyNick BOSS|$Lock EXTENDEDPROTOCOLABCABCABCABCABCABC Pk=DCPLUSPLUS0.698ABCABC|
[Sun Nov 12 17:24:18 2006] [error] [client 83.27.85.210] request failed: erroneous characters after protocol string: $MyNick BOSS|$Lock EXTENDEDPROTOCOLABCABCABCABCABCABC Pk=DCPLUSPLUS0.698ABCABC|
[Sun Nov 12 17:24:18 2006] [error] [client 83.27.85.210] request failed: erroneous characters after protocol string: $MyNick BOSS|$Lock EXTENDEDPROTOCOLABCABCABCABCABCABC Pk=DCPLUSPLUS0.698ABCABC|

All from different IP's etc etc. Had a search through Google for this and only one other post & nothing resolved for them. Has anyone got a mod_sec rule that would drop this ???
Have already increased the maxclient & dropped the timeout in httpd.conf to relieve the server a bit

Thanks in advance

Chae
 

chae

Well-Known Member
Apr 19, 2003
145
0
166
Auckland, New Zealand
As a follow up to typing this the techsupport from the Datacentre where the servers are housed have basically said that they can't do anything their side to help...

"Unfortunately most networks don't implement solutions like TopLayer to prevent these kind of outbound attacks..." then they basically tell me that I can add the IP's into our firewall which of course doesn't help as they're (hundreds up hundreds) spoofed (sigh)

So now we've got a crippled server because of these requests
 

IPSecureNetwork

Well-Known Member
May 28, 2005
97
0
156
buddy you are under attack of botnets thats why the apache marks nicks like IRC .. coz that things are botnets hosted in one irc server to attack.

i recomend you some thing like mod security, mod_choke and mod_ddosevasive

i recomend you one idc with firewall like ipsecurenetwork.com or something like that .. to prevent DDoS attacks
 

AndyReed

Well-Known Member
PartnerNOC
May 29, 2004
2,221
4
193
Minneapolis, MN
or something like that .. to prevent DDoS attacks
If your server is under good DDoS attack, none would would stop it including APF, BFD, Mod security and Mod Evasive, or any other software-based firewall. You have to have hardware-based firewall such as Cisco Guard.