Re: [bitfolk] Strange DDOS attack?

Hi all, Have a strange attack happening to one of my domains, on the web server. It is a small privatish phpBB forum with nothing exciting, interesting or valuable going on at all. And it is the only one attacked out of a handful web sites on the server. The site has had a lot of incorrect requests to the server since before Christmas. I get POST requests in the region of two per second. There's noting in the post request and it is to the root of the domain. Like this: 184.57.181.141 - - [30/Dec/2013:23:32:24 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 108.205.136.80 - - [30/Dec/2013:23:32:25 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 68.118.233.245 - - [30/Dec/2013:23:32:25 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 173.51.226.12 - - [30/Dec/2013:23:32:25 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 71.10.0.254 - - [30/Dec/2013:23:32:27 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 75.91.250.137 - - [30/Dec/2013:23:32:29 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 108.200.239.239 - - [30/Dec/2013:23:32:31 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 64.40.129.122 - - [30/Dec/2013:23:32:31 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 128.210.19.134 - - [30/Dec/2013:23:32:32 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 12.51.89.194 - - [30/Dec/2013:23:32:33 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 184.57.181.141 - - [30/Dec/2013:23:32:35 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 208.96.191.152 - - [30/Dec/2013:23:32:35 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 70.190.134.120 - - [30/Dec/2013:23:32:37 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

The 301 response is something I set up when I discovered this. There should be no POST requests to /, so I do a 301 permanent redirect back to the client's own IP address. But that seems to have had no effect at all. The requests are still constantly coming in. I have set up a filter in fail2ban for anyone POSTing to '/' so they should be completely banned (using action 'iptables-allports'). But due to the sheer amount of different addresses attacking it seems to have little effect. Plus the fact I quite often see this in the fail2ban log: 2013-12-30 23:38:33,080 fail2ban.actions: WARNING [http-ddos] 37.142.202.18 already banned So it seems that despite being banned they can still send a request to the Apache server? Not sure why, the iptables -L seems to list an awful lot of IP addresses and domain names. So the fail2ban filter is working as it should with setting up rules in iptables.

At the same time, postfix is getting a large amount of requests on port 25 too: Dec 30 23:54:45 bitfolk postfix/smtpd[14601]: connect from unknown[180.67.178.14] Dec 30 23:54:45 bitfolk postfix/smtpd[14071]: lost connection after UNKNOWN from unknown[76.2.133.225] Dec 30 23:54:45 bitfolk postfix/smtpd[14071]: disconnect from unknown[76.2.133.225] Dec 30 23:54:48 bitfolk postfix/smtpd[27968]: connect from unknown[24.151.82.226] Dec 30 23:54:49 bitfolk postfix/smtpd[14107]: lost connection after UNKNOWN from unknown[173.220.57.214] Dec 30 23:54:49 bitfolk postfix/smtpd[14107]: disconnect from unknown[173.220.57.214] Dec 30 23:54:50 bitfolk postfix/smtpd[10196]: lost connection after UNKNOWN from unknown[72.135.3.145] Dec 30 23:54:50 bitfolk postfix/smtpd[10196]: disconnect from unknown[72.135.3.145] Dec 30 23:54:50 bitfolk postfix/smtpd[10354]: lost connection after UNKNOWN from unknown[173.246.215.147] Dec 30 23:54:50 bitfolk postfix/smtpd[10354]: disconnect from unknown[173.246.215.147] Dec 30 23:54:51 bitfolk postfix/smtpd[14601]: lost connection after UNKNOWN from unknown[180.67.178.14] Dec 30 23:54:51 bitfolk postfix/smtpd[14601]: disconnect from unknown[180.67.178.14] And in the mail.warn log: Dec 30 23:10:15 bitfolk postfix/smtpd[19391]: warning: non-SMTP command from unknown[96.38.26.186]: UY:l??????????z??????\? Dec 30 23:11:22 bitfolk postfix/smtpd[17880]: warning: non-SMTP command from unknown[181.67.172.79]: U:??[6? Dec 30 23:14:46 bitfolk postfix/smtpd[19522]: warning: non-SMTP command from unknown[24.39.251.34]: @:??>T^R^?d???&U?V<??;W?p4?Gf#???t????,???E? Dec 30 23:16:57 bitfolk postfix/smtpd[24688]: warning: non-SMTP command from unknown[72.181.54.101]: gu:?R?M???? I can only conclude this is sent to the same domain name as is attacked on port 80...

Now I am worried all this will consume up my bandwidth allowance (as well as eating into system resources of course), and I have run out of ideas how to stop this. Any suggestions are most welcome!