The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

We need a way to brunt this attack - /\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\

Discussion in 'General Discussion' started by jols, Dec 8, 2005.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Several times per day, a few of our servers get hit with this. Sample log entry from /usr/local/apache/logs/access_log:

    87.107.6.205 - - [08/Dec/2005:13:48:25 -0600] "SEARCH /\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\


    Goes on for hundreds of lines.

    When we get hit with just one of these, the server's load shoots through the roof, cusotmers complain, we lose business, etc.

    We've tried a bunch of things from switching on the DoS options in apf, to working with PortSentry and mod_security, but nothing seems to work here but manually blocking the IP so that there is not another attack from the same IP, but the IPs involved with this seem to be endless.

    I believe this comes from a a Windows virus, but nevertheless it has the effect of DoSing our Linux servers. Seems like there is something that could cut this short before the server load goes bizzark. Anyone?

    TIA
     
  2. adept2003

    adept2003 Well-Known Member

    Joined:
    Aug 11, 2003
    Messages:
    283
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    ~ "/(extra|special)/data"
    If you have modsecurity installed, then I believe you can add a filter to the httpd.conf that drops these types of attacks.

    There are a number of people in this forum who offer services to secure boxes, & detect/drop attacks. I recommend Chirpy's services, since he done a fantastic job with my servers: http://forums.cpanel.net/showthread.php?t=46206
     
    #2 adept2003, Dec 8, 2005
    Last edited: Dec 8, 2005
  3. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    I understand that mod_security will not brunt these types of attacks because essentially the hundred lines of entry is allowed to be entered, then mod_security pipes up and stops the process, but only after all this garbage is entered, after the server's load is maxed, etc. and the inbound IP itself is never blocked so the virus or whatever is allowed to try again and again.

    HOWEVER, at this point I will try anything and as you were posting the reply (thank you), I was indeed adding this to our Mod_Security rules:

    SecFilter "SEARCH /\x90"


    What I would really prefer to do somehow tell the firewall, "If you see this -- SEARCH /\x90 -- instantly cut the connection and firewall the IP".

    By the way, we have BFD also installed, but I think with this one you have to grant the user several consecutive tries before they are blocked, at just about everything. I'm both surprised and disappointed that switching on the DoS stuff in APF is not handling this.

    We hire Chirpy for other things including his very excellent MailScanner package installation. But so far I don't see any indication there, or from anyone that there is any possible solution for this. The list of servcies he covers for this is stuff that we have already applied "I think".
     
    #3 jols, Dec 8, 2005
    Last edited: Dec 8, 2005
  4. Beansprout

    Beansprout Active Member

    Joined:
    Sep 12, 2005
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    Try mod_dosevasive to limit the number of connections per second per IP :)
     
  5. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Sounds good, but I have read that mod_dosevasive breaks FrontPage server extensions. In your experience is this true? I just don't want to be tarred and feathered by a bunch of rabid FrontPage users. :D
     
  6. Beansprout

    Beansprout Active Member

    Joined:
    Sep 12, 2005
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    It is reported to have problems with Frontpage, so looks like you're stuck on that one. mod_security is the only other similar-style module I know for Apache.

    Are you running the latest version of Apache? It shouldn't be affected by long URLs - I'm guessing it's just being thrown the URLs multiple times, ie, a DoS attack.

    Then again, I've never seen this issue before.
     
Loading...

Share This Page