The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

new type of ddos attack

Discussion in 'General Discussion' started by katmai, Sep 27, 2007.

  1. katmai

    katmai Well-Known Member

    Joined:
    Mar 13, 2006
    Messages:
    526
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brno, Czech Republic
    81.154.254.186 - - [27/Sep/2007:09:31:33 +0200] "-" 408 - "-" "-"
    58.108.43.174 - - [27/Sep/2007:09:31:33 +0200] "-" 408 - "-" "-"
    88.253.95.237 - - [27/Sep/2007:09:31:33 +0200] "-" 408 - "-" "-"
    60.48.104.110 - - [27/Sep/2007:09:31:33 +0200] "-" 408 - "-" "-"
    89.238.7.18 - - [27/Sep/2007:09:31:33 +0200] "-" 408 - "-" "-"
    67.77.203.178 - - [27/Sep/2007:09:31:33 +0200] "-" 408 - "-" "-"
    84.98.192.46 - - [27/Sep/2007:09:31:33 +0200] "-" 408 - "-" "-"
    86.141.35.197 - - [27/Sep/2007:09:31:33 +0200] "-" 408 - "-" "-"
    121.219.112.203 - - [27/Sep/2007:09:31:33 +0200] "-" 408 - "-" "-"
    68.229.87.81 - - [27/Sep/2007:09:31:33 +0200] "-" 408 - "-" "-"
    211.28.3.225 - - [27/Sep/2007:09:31:33 +0200] "-" 408 - "-" "-"
    75.189.92.24 - - [27/Sep/2007:09:31:33 +0200] "-" 408 - "-" "-"
    84.58.170.90 - - [27/Sep/2007:09:31:33 +0200] "-" 408 - "-" "-"
    84.58.170.90 - - [27/Sep/2007:09:31:33 +0200] "-" 408 - "-" "-"
    85.68.36.118 - - [27/Sep/2007:09:31:33 +0200] "-" 408 - "-" "-"
    90.36.160.7 - - [27/Sep/2007:09:31:33 +0200] "-" 408 - "-" "-"
    88.139.138.82 - - [27/Sep/2007:09:31:33 +0200] "-" 408 - "-" "-"
    24.180.129.239 - - [27/Sep/2007:09:31:33 +0200] "-" 408 - "-" "-"
    68.47.140.30 - - [27/Sep/2007:09:31:33 +0200] "-" 408 - "-" "-"
    88.220.132.5 - - [27/Sep/2007:09:31:33 +0200] "-" 408 - "-" "-"
    84.58.170.90 - - [27/Sep/2007:09:31:33 +0200] "-" 408 - "-" "-"
    72.82.170.86 - - [27/Sep/2007:09:31:33 +0200] "-" 408 - "-" "-"
    58.175.120.17 - - [27/Sep/2007:09:31:33 +0200] "-" 408 - "-" "-"
    58.175.120.17 - - [27/Sep/2007:09:31:33 +0200] "-" 408 - "-" "-"
    75.189.92.24 - - [27/Sep/2007:09:31:33 +0200] "-" 408 - "-" "-"
    68.47.140.30 - - [27/Sep/2007:09:31:33 +0200] "-" 408 - "-" "-"
    24.180.129.239 - - [27/Sep/2007:09:31:33 +0200] "-" 408 - "-" "-"
    58.175.120.17 - - [27/Sep/2007:09:31:33 +0200] "-" 408 - "-" "-"
    58.110.78.23 - - [27/Sep/2007:09:31:33 +0200] "-" 408 - "-" "-"


    this is what access_log says

    0-0 9930 1/1/1 W 0.00 2 0 0.3 0.000 0.000 67.77.203.178 mydomain.com slR8Ra86i9IFFt7Bp65VY27sthz2A3qdokXjGTFHlLbVgzZgh1fk2C80zQ3TpOk
    1-0 9931 0/1/1 R 0.00 1 0 0.0 0.000 0.000 ? ? ..reading..
    2-0 9932 0/1/1 _ 0.00 9 0 0.0 0.000 0.000 121.220.75.119 mydomain.com k2tp8ivAwhdrtAnuIfp5FVTcRpyvDoELdxKnRlboe8KLQipzeQeXuvpGV6yChUq
    3-0 9933 0/0/0 R 0.00 1 0 0.0 0.00 0.00 ? ? ..reading..
    4-0 9934 0/1/1 _ 0.00 41 0 0.0 0.000 0.000 217.225.130.209 mydomain.com FLSXHivPxu8gaJaoaELRgfyXEgts1fLJZD2CqvMC45aOXHCxbuuuyvn3aPdIiIt
    6-0 9936 0/3/3 _ 0.00 12 0 0.0 0.000 0.000 41.204.246.11 mydomain.com Kch0BDgUrmHVvTbdxUoNjPIB2ujzdOewYXPOPltRfq57OamQtHCcvrkUUQ2ZBkg
    7-0 9937 0/1/1 R 0.00 1 0 0.0 0.000 0.000 ? ? ..reading..
    8-0 9938 0/2/2 _ 0.00 40 0 0.0 0.000 0.000 58.105.46.71 mydomain.com 5Ug6G03xkASu4EJKk9gbEBft32DOTHUPQDp3tFXgIc2Sek5VIyVovBecMOyF5hq
    9-0 9939 0/1/1 R 0.00 1 0 0.0 0.000 0.000 ? ? ..reading..
    10-0 9940 0/2/2 _ 0.00 17 0 0.0 0.000 0.000 81.152.81.179 mydomain.com HbjoJOxfZ7Hwu58wkElY21RD2g5CNZCCgUo95DxhgJjklRRLxeM9QuuL5DDCrXT
    12-0 9942 0/1/1 _ 0.00 20 0 0.0 0.000 0.000 87.86.33.146 mydomain.com PudYFiXNe6eCHClrBBAFvTlb3D9GdUUYqqOHoj89VZ0CwRmOU1L73tGBtx6CO9i
    13-0 9943 1/1/1 W 0.00 8 0 0.3 0.000 0.000 87.0.235.144 mydomain.com ZLXmroQvXgkceizlcFs0v6u8FHwsqpZcjoUXbrLJh1zi0m2cnolealnZTaYVn4A
    14-0 9944 0/2/2 R 0.00 3 0 0.0 0.000 0.000 ? ? ..reading..
    17-0 9947 0/1/1 _ 0.00 13 0 0.0 0.000 0.000 89.218.177.38 mydomain.com 5J0tBS9ikVKVBBnM7RDzuBsh1cGzeGyKxqH1PossMFCozx2JNnyo2qugrH6Xh16
    19-0 9949 0/2/2 R 0.00 0 0 0.0 0.000 0.000 ? ? ..reading..
    21-0 9951 0/1/1 _ 0.00 17 0 0.0 0.000 0.000 90.26.122.241 mydomain.com 3JqBQkLXgiMpdbrQanmotF7QnZSjVbz4MSAQNcYkwtRmhr03sAS81B13lXcBhb2
    22-0 9952 0/1/1 _ 0.00 15 0 0.0 0.000 0.000 58.175.120.17 mydomain.com Q27LklandyYh1zAcyNbCEnw35YmhnKGZZQOmXEKGFo5vo5tbhDNmk3Vxoq3FhK9
    25-0 9955 1/3/3 W 0.00 11 0 0.3 0.000 0.000 87.161.193.205 mydomain.com Q7AQntUyfBruSCs5u7jO0Z9sgdhUqF0796esZgQf1vMcv6Y8CtFgcoOT3VPcefE
    26-0 9956 0/0/0 R 0.00 5 0 0.0 0.00 0.00 ? ? ..reading..
    28-0 9958 0/1/1 _ 0.00 15 0 0.0 0.02 0.02 209.16.114.132 mydomain.com GET /skin1/images/xlogo.jpg HTTP/1.1
    29-0 9959 0/1/1 _ 0.00 14 0 0.0 0.000 0.000 67.106.19.30 mydomain.com 2UwnrldrKi8LZzvugVAMILbX28cxCPVIUPTD1MsJGvxJQ7m8zpLmlCF4kDLEK3j
    30-0 9960 0/1/1 _ 0.00 14 0 0.0 0.000 0.000 85.176.172.90 mydomain.com QdTl09Jo4BwMUMyGVYzeT3z4ZeE9oHkDbl3VorOnkInlrq0xCLUElvV2gXeB8uU
    31-0 9961 0/1/1 _ 0.00 14 0 0.0 0.000 0.000 82.139.49.227 mydomain.com xlPJm2zEFPz8HpAmQyjQYcU4pULicsBVg6aRyyeucQD8zeLHsenpSnOob10HACF
    32-0 9962 0/1/1 _ 0.00 14 0 0.0 0.000 0.000 69.252.181.214 mydomain.com U0orycg6O7ffHVUloXzkUPricZRfiw5mtPPRpc1EMUs3OTbmNdGfw0tU6iLKE4s

    this is what apache status says.

    does anyone have any clue on how to work this out? i got csf installed, and now i am putting up mod_evasive
     
    #1 katmai, Sep 27, 2007
    Last edited: Sep 27, 2007
  2. SXR1337

    SXR1337 Member

    Joined:
    May 4, 2007
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Get more protection , i'd say. I use tcpdump to sniff out packages to identify a attack and then block the IP or hostname. You can run tcpdump to do DNS lookups or just bring back the IP. It can sniff packages on all ports really , so this includes http ( port 80 ) . And I use APF firewall combined with Dos deflate. dos deflate is also an open source linux app that blocks an ip when it will reach an x number connections. X being the number you can set ;)
     
  3. katmai

    katmai Well-Known Member

    Joined:
    Mar 13, 2006
    Messages:
    526
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brno, Czech Republic
    68.230.113.248 - - [28/Sep/2007:00:38:30 +0200] "GET / HTTP/1.1" 200 332 "-" "MSIE7.0"
    67.83.15.130 - - [28/Sep/2007:00:38:30 +0200] "GET / HTTP/1.1" 200 332 "-" "MSIE7.0"
    70.244.61.44 - - [28/Sep/2007:00:38:30 +0200] "GET / HTTP/1.1" 200 332 "-" "MSIE7.0"
    74.139.188.191 - - [28/Sep/2007:00:38:30 +0200] "GET / HTTP/1.1" 200 332 "-" "MSIE7.0"
    71.100.162.235 - - [28/Sep/2007:00:38:30 +0200] "GET / HTTP/1.1" 200 332 "-" "MSIE7.0"
    70.180.82.63 - - [28/Sep/2007:00:38:30 +0200] "GET / HTTP/1.1" 200 332 "-" "MSIE7.0"
    67.190.255.13 - - [28/Sep/2007:00:38:30 +0200] "GET / HTTP/1.1" 200 332 "-" "MSIE7.0"
    70.160.196.215 - - [28/Sep/2007:00:38:30 +0200] "GET / HTTP/1.1" 200 332 "-" "MSIE7.0"
    220.239.42.230 - - [28/Sep/2007:00:38:30 +0200] "GET / HTTP/1.1" 200 332 "-" "MSIE7.0"
    82.237.204.14 - - [28/Sep/2007:00:38:31 +0200] "GET / HTTP/1.1" 200 332 "-" "MSIE7.0"
    74.137.196.184 - - [28/Sep/2007:00:38:31 +0200] "GET / HTTP/1.1" 200 332 "-" "MSIE7.0"
    64.207.250.78 - - [28/Sep/2007:00:38:31 +0200] "GET / HTTP/1.1" 200 332 "-" "MSIE7.0"
    24.25.205.84 - - [28/Sep/2007:00:38:31 +0200] "GET / HTTP/1.1" 200 332 "-" "MSIE7.0"
    91.77.24.227 - - [28/Sep/2007:00:38:31 +0200] "GET / HTTP/1.1" 200 332 "-" "MSIE7.0"
    70.160.246.117 - - [28/Sep/2007:00:38:31 +0200] "GET / HTTP/1.1" 200 332 "-" "MSIE7.0"
    76.194.83.22 - - [28/Sep/2007:00:38:31 +0200] "GET / HTTP/1.1" 200 332 "-" "MSIE7.0"
    207.229.169.61 - - [28/Sep/2007:00:38:31 +0200] "GET / HTTP/1.1" 200 332 "-" "MSIE7.0"
    75.185.111.59 - - [28/Sep/2007:00:38:31 +0200] "GET / HTTP/1.1" 200 332 "-" "MSIE7.0"
    68.96.50.46 - - [28/Sep/2007:00:38:31 +0200] "GET / HTTP/1.1" 200 332 "-" "MSIE7.0"
    96.10.104.236 - - [28/Sep/2007:00:38:31 +0200] "GET / HTTP/1.1" 200 332 "-" "MSIE7.0"
    68.93.99.123 - - [28/Sep/2007:00:38:31 +0200] "GET / HTTP/1.1" 200 332 "-" "MSIE7.0"
    216.227.124.151 - - [28/Sep/2007:00:38:31 +0200] "GET / HTTP/1.1" 200 332 "-" "MSIE7.0"
    85.116.64.100 - - [28/Sep/2007:00:38:31 +0200] "GET / HTTP/1.1" 200 332 "-" "MSIE7.0"
    75.52.156.23 - - [28/Sep/2007:00:38:31 +0200] "GET / HTTP/1.1" 200 332 "-" "MSIE7.0"
    24.189.95.63 - - [28/Sep/2007:00:38:31 +0200] "GET / HTTP/1.1" 200 332 "-" "MSIE7.0"
     
  4. desordeiro

    desordeiro Registered

    Joined:
    Mar 23, 2007
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    I am having the same problem .. To prevent?

    Is overloading my server

    apache 1.3.41
    php 5.2.5
    xcache 1.22

    translate by google.. =)
     
  5. torwill

    torwill Well-Known Member

    Joined:
    Jun 25, 2002
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    is there a way to stop this attack?

    i've installed dos-deflate and changed the connection setting to a much lower value than default, and increase apache MaxClients and turned off KeepAlive. but none of these help much.

    thank you.
     
Loading...

Share This Page