31 Dec
2013
31 Dec
'13
2:32 a.m.
Hi Tony,
Well, a DDoS solution it is. :)
When they realise that they have no effect they are likely to move on. And you can
gradually open your server up as need be, once you have established which machines are
culpable.
Consider this the rough and ready farmer's method.
It's imperfect I know but it should work until you get to a garage.
Cheers,
Le Mardi 31 décembre 2013 2h06, Tony Andersson <BitFolkList(a)tony-andersson.com> a
écrit :
Re: [bitfolk] Strange DDOS attack?
Hi Max,
Thanks for the idea, but problem then would be that no-one can connect to any web site on
the server, nor can anyone actually send legit e-mails to the domain.
I could just turn the vps off completely instead in that case... :-(
have turned off IP v6, and the attacks on port 25 seems to have eased off, but on port 80
they are still ongoing.
Cheers,
__
/ony
-------
Tuesday, December 31, 2013, 12:34:58 AM, Max wrote:
% cat >> /etc/hosts.deny
ALL: ALL except your.home.ip.here
might help, as might this:
% cat /var/log/apache2/access.log | awk '{printf "echo 'ALL:
%s'>>/etc/hosts.deny\n",$1}' | /bin/sh
this assumes you have installed tcpd
cheers
Le Mardi 31 décembre 2013 1h19, Tony Andersson <BitFolkList(a)tony-andersson.com> a
écrit :
Realised the second after I pressed the send button that the answer to
the ban issue is because those attacks are on ip v6
root@bitfolk:/etc/fail2ban# netstat -n
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp6 0 1 85.119.82.79:80 121.168.45.218:1446 FIN_WAIT1
tcp6 0 1 85.119.82.79:80 24.186.158.213:61301 FIN_WAIT1
tcp6 0 1 85.119.82.79:80 67.180.245.251:17277 FIN_WAIT1
tcp6 0 1 85.119.82.79:80 71.218.243.152:25311 FIN_WAIT1
Now, I have to figure out how to turn IP v6 off on the vps then...
__
/ony
-------
Tuesday, December 31, 2013, 12:11:34 AM, Tony wrote:
Hi all,
Have a strange attack happening to one of my domains,
on the web
server. It is a small privatish phpBB forum with nothing exciting,
interesting or valuable going on at all. And it is the only one
attacked out of a handful web sites on the server.
The site has had a lot of incorrect requests to the
server since
before Christmas. I get POST requests in the region of two per second.
There's noting in the post request and it is to the root of the
domain. Like this:
184.57.181.141 - - [30/Dec/2013:23:32:24 +0000] "POST / HTTP/1.1"
301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
108.205.136.80 - - [30/Dec/2013:23:32:25 +0000] "POST / HTTP/1.1"
301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
68.118.233.245 - - [30/Dec/2013:23:32:25 +0000] "POST / HTTP/1.1"
301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
173.51.226.12 - - [30/Dec/2013:23:32:25 +0000] "POST / HTTP/1.1"
301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
71.10.0.254 - - [30/Dec/2013:23:32:27 +0000] "POST / HTTP/1.1" 301
- "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
75.91.250.137 - - [30/Dec/2013:23:32:29 +0000] "POST / HTTP/1.1"
301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
108.200.239.239 - - [30/Dec/2013:23:32:31 +0000] "POST / HTTP/1.1"
301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.40.129.122 - - [30/Dec/2013:23:32:31 +0000] "POST / HTTP/1.1"
301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
128.210.19.134 - - [30/Dec/2013:23:32:32 +0000] "POST / HTTP/1.1"
301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
12.51.89.194 - - [30/Dec/2013:23:32:33 +0000] "POST / HTTP/1.1" 301
- "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
184.57.181.141 - - [30/Dec/2013:23:32:35 +0000] "POST / HTTP/1.1"
301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
208.96.191.152 - - [30/Dec/2013:23:32:35 +0000] "POST / HTTP/1.1"
301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
70.190.134.120 - - [30/Dec/2013:23:32:37 +0000] "POST / HTTP/1.1"
301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
The 301 response is something I set up when I
discovered this. There
should be no POST requests to /, so I do a 301 permanent redirect back
to the client's own IP address. But that seems to have had no effect
at all. The requests are still constantly coming in.
I have set up a filter in fail2ban for anyone POSTing
to '/' so they
should be completely banned (using action 'iptables-allports'). But
due to the sheer amount of different addresses attacking it seems to
have little effect. Plus the fact I quite often see this in the
fail2ban log:
2013-12-30 23:38:33,080 fail2ban.actions: WARNING [http-ddos] 37.142.202.18 already
banned
So it seems that despite being banned they can still
send a request to
the Apache server? Not sure why, the iptables -L seems to list an
awful lot of IP addresses and domain names. So the fail2ban filter is
working as it should with setting up rules in iptables.
At the same time, postfix is getting a large amount of
requests on
port 25 too:
Dec 30 23:54:45 bitfolk postfix/smtpd[14601]: connect
from unknown[180.67.178.14]
Dec 30 23:54:45 bitfolk postfix/smtpd[14071]: lost connection after
UNKNOWN from unknown[76.2.133.225]
Dec 30 23:54:45 bitfolk postfix/smtpd[14071]: disconnect from unknown[76.2.133.225]
Dec 30 23:54:48 bitfolk postfix/smtpd[27968]: connect from unknown[24.151.82.226]
Dec 30 23:54:49 bitfolk postfix/smtpd[14107]: lost connection after
UNKNOWN from unknown[173.220.57.214]
Dec 30 23:54:49 bitfolk postfix/smtpd[14107]: disconnect from unknown[173.220.57.214]
Dec 30 23:54:50 bitfolk postfix/smtpd[10196]: lost connection after
UNKNOWN from unknown[72.135.3.145]
Dec 30 23:54:50 bitfolk postfix/smtpd[10196]: disconnect from unknown[72.135.3.145]
Dec 30 23:54:50 bitfolk postfix/smtpd[10354]: lost connection after
UNKNOWN from unknown[173.246.215.147]
Dec 30 23:54:50 bitfolk postfix/smtpd[10354]: disconnect from unknown[173.246.215.147]
Dec 30 23:54:51 bitfolk postfix/smtpd[14601]: lost connection after
UNKNOWN from unknown[180.67.178.14]
Dec 30 23:54:51 bitfolk postfix/smtpd[14601]: disconnect from unknown[180.67.178.14]
And in the mail.warn log:
Dec 30 23:10:15 bitfolk postfix/smtpd[19391]: warning:
non-SMTP
command from unknown[96.38.26.186]: UY:l??????????z??????\?
Dec 30 23:11:22 bitfolk postfix/smtpd[17880]: warning: non-SMTP
command from unknown[181.67.172.79]: U:??[6?
Dec 30 23:14:46 bitfolk postfix/smtpd[19522]: warning: non-SMTP
command from unknown[24.39.251.34]:
@:??>T^R^?d???&U?V<??;W?p4?Gf#???t????,???E?
Dec 30 23:16:57 bitfolk postfix/smtpd[24688]: warning: non-SMTP
command from unknown[72.181.54.101]: gu:?R?M????
I can only conclude this is sent to the same domain
name as is
attacked on port 80...
Now I am worried all this will consume up my bandwidth
allowance (as
well as eating into system resources of course), and I have run out of ideas how
to stop this. Any suggestions are most welcome!
Thanks,
__
/ony
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users