31 Dec
2013
31 Dec
'13
1 p.m.
Hi Tony,
On Tue, Dec 31, 2013 at 12:11:34AM +0000, Tony Andersson wrote:
Have a strange attack happening to one of my domains,
on the web
server. It is a small privatish phpBB forum with nothing exciting,
interesting or valuable going on at all. And it is the only one
attacked out of a handful web sites on the server.
When you say "attack" can you give more information as to what the
negative effects are?
e.g. is it killing your web server, or is it just polluting your
logs?
The site has had a lot of incorrect requests to the
server since
before Christmas. I get POST requests in the region of two per second.
There's noting in the post request and it is to the root of the
domain. Like this:
When you say there's noting (nothing?) in the POST request do you
mean that you have looked at it in tcpdump etc and there is no POST
data?
Although all the requests you have shown have 301 return code which
is presumably not being followed up by the client. I am not sure if
Apache shows the request size (the "-" after the 301) when the
return code is 301, or if these requests are really empty.
184.57.181.141 - - [30/Dec/2013:23:32:24 +0000]
"POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1)"
108.205.136.80 - - [30/Dec/2013:23:32:25 +0000] "POST / HTTP/1.1" 301 -
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
My first guess on seeing logs like this would be that it's just a
botnet probing for signatures of apps that are vulnerable to a known
exploit.
I have set up a filter in fail2ban for anyone POSTing
to '/' so they
should be completely banned (using action 'iptables-allports'). But
due to the sheer amount of different addresses attacking it seems to
have little effect. Plus the fact I quite often see this in the
fail2ban log:
2013-12-30 23:38:33,080 fail2ban.actions: WARNING [http-ddos] 37.142.202.18 already
banned
Another thing you could try if Fail2Ban isn't doing it for you is to
block all POST requests to a given URI using mod_security2 (which is
available for Debian).
I haven't tested this but it should be something like:
<IfModule mod_security2.c>
SecRule REQUEST_METHOD "^POST$"
"phase:1,nolog,chain,t:none,id:100"
SecRule REQUEST_URI "^/$" "drop"
</IfModule>
I think that will drop (immediately close TCP connection) on any
POST request to /.
I did think it should be possible with core Apache config but I
don't think that:
<Limit POST>
</Limit>
can be combined with a Location block.
If you didn't want to install mod_security2 then you could probably
achieve similar with mod_rewrite:
RewriteCond %{REQUEST_METHOD} POST
RewriteRule ^/$ - [forbidden]
Thing is, if you're sure the POSTs aren't doing anything harmful
then blocking them like this maybe isn't buying you very much. It
may allow Apache to free up the request quicker if you're really in
a denial of service situation.
So it seems that despite being banned they can still
send a request to
the Apache server? Not sure why, the iptables -L seems to list an
awful lot of IP addresses and domain names. So the fail2ban filter is
working as it should with setting up rules in iptables.
Is it possible they are concurrent requests? iptables probably
allows an ongoing TCP conversation due to allowing "related and
established" traffic.
At the same time, postfix is getting a large amount of
requests on
port 25 too:
Are you quite sure this is related? Did it only start at the same
time as the Apache POST request flood?
Now I am worried all this will consume up my bandwidth
allowance (as
well as eating into system resources of course),
If I am looking at the right VPS's bandwidth graphs, your traffic
usage has indeed increased from almost nothing before Friday, but it
has only increased to about 16kbps out and 24kbps in, so you don't
need to worry about going through your data transfer allowance.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting