Re: [bitfolk] Strange DDOS attack?

On Tue, Dec 31, 2013 at 12:11 AM, Tony Andersson <BitFolkList(a)tony-andersson.com> wrote: > > Have a strange attack happening to one of my domains, on the web > server. It is a small privatish phpBB forum with nothing exciting, > interesting or valuable going on at all. And it is the only one > attacked out of a handful web sites on the server. > > The site has had a lot of incorrect requests to the server since > before Christmas. I get POST requests in the region of two per second. > There's noting in the post request and it is to the root of the > domain. Like this: > 184.57.181.141 - - [30/Dec/2013:23:32:24 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" > 108.205.136.80 - - [30/Dec/2013:23:32:25 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" > 68.118.233.245 - - [30/Dec/2013:23:32:25 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" > 173.51.226.12 - - [30/Dec/2013:23:32:25 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" > 71.10.0.254 - - [30/Dec/2013:23:32:27 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" > 75.91.250.137 - - [30/Dec/2013:23:32:29 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" > 108.200.239.239 - - [30/Dec/2013:23:32:31 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" > 64.40.129.122 - - [30/Dec/2013:23:32:31 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" > 128.210.19.134 - - [30/Dec/2013:23:32:32 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" > 12.51.89.194 - - [30/Dec/2013:23:32:33 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" > 184.57.181.141 - - [30/Dec/2013:23:32:35 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" > 208.96.191.152 - - [30/Dec/2013:23:32:35 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" > 70.190.134.120 - - [30/Dec/2013:23:32:37 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

Because it's only the phpBB site that's being accessed in this way, it's probably something phpBB-specific. It could be a mobile client that does something unusual (although it's a strange user-agent string for something legit), or a phpBB worm / mass hack. Previous phpBB worms have searched google for phpBB specific urls / signatures and then exploited them. I suggest that you post on a phpBB specific list, as you're more likely to find people who know what it is.

Two requests/second isn't really a very effective DOS attack against most applications.

> The 301 response is something I set up when I discovered this. There > should be no POST requests to /, so I do a 301 permanent redirect back > to the client's own IP address. But that seems to have had no effect > at all. The requests are still constantly coming in. > > I have set up a filter in fail2ban for anyone POSTing to '/' so they > should be completely banned (using action 'iptables-allports'). But > due to the sheer amount of different addresses attacking it seems to > have little effect. Plus the fact I quite often see this in the > fail2ban log: > 2013-12-30 23:38:33,080 fail2ban.actions: WARNING [http-ddos] 37.142.202.18 already banned > > So it seems that despite being banned they can still send a request to > the Apache server? Not sure why, the iptables -L seems to list an > awful lot of IP addresses and domain names. So the fail2ban filter is > working as it should with setting up rules in iptables.

fail2ban works aynchronously; the ban rules only get applied after the requests appear in the logfiles and fail2ban processes them. So it's almost certainly possible for several requests to be made from an IP before fail2ban has a chance to block the IP for the first time. It should be simple to look in the logs for the timestamps of the requests and the ban attempt to work out what the sequence of events was.

> At the same time, postfix is getting a large amount of requests on > port 25 too: > > Dec 30 23:54:45 bitfolk postfix/smtpd[14601]: connect from unknown[180.67.178.14] > Dec 30 23:54:45 bitfolk postfix/smtpd[14071]: lost connection after UNKNOWN from unknown[76.2.133.225] > Dec 30 23:54:45 bitfolk postfix/smtpd[14071]: disconnect from unknown[76.2.133.225] > Dec 30 23:54:48 bitfolk postfix/smtpd[27968]: connect from unknown[24.151.82.226] > Dec 30 23:54:49 bitfolk postfix/smtpd[14107]: lost connection after UNKNOWN from unknown[173.220.57.214] > Dec 30 23:54:49 bitfolk postfix/smtpd[14107]: disconnect from unknown[173.220.57.214] > Dec 30 23:54:50 bitfolk postfix/smtpd[10196]: lost connection after UNKNOWN from unknown[72.135.3.145] > Dec 30 23:54:50 bitfolk postfix/smtpd[10196]: disconnect from unknown[72.135.3.145] > Dec 30 23:54:50 bitfolk postfix/smtpd[10354]: lost connection after UNKNOWN from unknown[173.246.215.147] > Dec 30 23:54:50 bitfolk postfix/smtpd[10354]: disconnect from unknown[173.246.215.147] > Dec 30 23:54:51 bitfolk postfix/smtpd[14601]: lost connection after UNKNOWN from unknown[180.67.178.14] > Dec 30 23:54:51 bitfolk postfix/smtpd[14601]: disconnect from unknown[180.67.178.14] > > And in the mail.warn log: > > Dec 30 23:10:15 bitfolk postfix/smtpd[19391]: warning: non-SMTP command from unknown[96.38.26.186]: UY:l??????????z??????\? > Dec 30 23:11:22 bitfolk postfix/smtpd[17880]: warning: non-SMTP command from unknown[181.67.172.79]: U:??[6? > Dec 30 23:14:46 bitfolk postfix/smtpd[19522]: warning: non-SMTP command from unknown[24.39.251.34]: @:??>T^R^?d???&U?V<??;W?p4?Gf#???t????,???E? > Dec 30 23:16:57 bitfolk postfix/smtpd[24688]: warning: non-SMTP command from unknown[72.181.54.101]: gu:?R?M???? > > I can only conclude this is sent to the same domain name as is > attacked on port 80...

Alternatively, it could just be the random scans and probes that everyone who runs services on the Internet gets.

> Now I am worried all this will consume up my bandwidth allowance (as > well as eating into system resources of course), and I have run out of ideas how > to stop this. Any suggestions are most welcome!

The bandwidth consumption of these requests seems tiny. Since they've been going since Christmas they'll have shown up in your weekly data transfer reports by now, if they were going to cause you a problem.