Re: [bitfolk] Apache Overwhelmed

25 Aug 2013

Hello Michael,

fail2ban ( www.fail2ban.org) will detect a bot that is "too active". I 
think it can detect POSTs.

You might also consider tweaking the software. Most web apps are many 
GETs followed by a single POST, then more GETS and a POST. Two POSTS 
would only occur in sequence if the first failed validation.

If you work out what could sensibly follow the current message and store 
it in the session, you can detect the strange behaviour of a DDOS attack 
and take the necessary action to trigger fail2ban.

Regards

Ian

On 25/08/2013 16:34, Michael Corliss wrote:
...
  Hello,

 My site was running very slowly this morning, and when I looked at top 
 it showed a lot more apache processes than usual.  My apache logs show 
 several generic-looking requests per second all day, all from 
 different IPs but the same user agent:

     203.177.174.141 - - [25/Aug/2013:06:57:46 +0000] "POST / HTTP/1.1"
     200 26622 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     117.7.236.73 - - [25/Aug/2013:06:57:46 +0000] "POST / HTTP/1.1"
     200 26622 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     216.178.85.218 - - [25/Aug/2013:06:57:46 +0000] "POST / HTTP/1.1"
     200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     49.206.63.20 - - [25/Aug/2013:06:57:46 +0000] "POST / HTTP/1.1"
     200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     59.149.127.101 - - [25/Aug/2013:06:57:47 +0000] "POST / HTTP/1.1"
     200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     111.254.38.56 - - [25/Aug/2013:06:57:46 +0000] "POST / HTTP/1.1"
     200 26622 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     190.154.108.28 - - [25/Aug/2013:06:57:46 +0000] "POST / HTTP/1.1"
     200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     60.240.213.10 - - [25/Aug/2013:06:57:48 +0000] "POST / HTTP/1.1"
     200 18876 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     41.74.72.186 - - [25/Aug/2013:06:57:48 +0000] "POST / HTTP/1.1"
     200 26622 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     5.166.34.40 - - [25/Aug/2013:06:57:48 +0000] "POST / HTTP/1.1" 200
     26622 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
SV1)"
     213.57.146.253 - - [25/Aug/2013:06:57:49 +0000] "POST / HTTP/1.1"
     200 26622 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     188.245.63.129 - - [25/Aug/2013:06:57:49 +0000] "POST / HTTP/1.1"
     200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     171.97.140.82 - - [25/Aug/2013:06:57:48 +0000] "POST / HTTP/1.1"
     200 13140 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     188.136.214.3 - - [25/Aug/2013:06:57:49 +0000] "POST / HTTP/1.1"
     200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     74.197.170.177 - - [25/Aug/2013:06:57:49 +0000] "POST / HTTP/1.1"
     200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     106.241.51.51 - - [25/Aug/2013:06:57:49 +0000] "POST / HTTP/1.1"
     200 21900 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     178.32.159.163 - - [25/Aug/2013:06:57:50 +0000] "POST / HTTP/1.1"
     200 25746 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     110.55.2.241 - - [25/Aug/2013:06:57:50 +0000] "POST / HTTP/1.1"
     200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     97.66.102.42 - - [25/Aug/2013:06:57:50 +0000] "POST / HTTP/1.1"
     200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     2.181.22.211 - - [25/Aug/2013:06:57:51 +0000] "POST / HTTP/1.1"
     200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     95.58.227.174 - - [25/Aug/2013:06:57:52 +0000] "POST / HTTP/1.1"
     200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     91.84.209.34 - - [25/Aug/2013:06:57:52 +0000] "POST / HTTP/1.1"
     200 25078 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     80.187.102.48 - - [25/Aug/2013:06:57:52 +0000] "POST / HTTP/1.1"
     200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     80.187.102.48 - - [25/Aug/2013:06:57:52 +0000] "POST / HTTP/1.1"
     200 9101 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
SV1)"
     80.187.102.48 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1"
     200 25746 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     162.40.113.3 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.0"
     200 29739 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     74.246.72.161 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1"
     200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     69.31.103.15 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1"
     200 18824 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     95.56.48.194 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1"
     200 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
SV1)"
     91.234.62.104 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1"
     200 26622 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     117.201.49.234 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1"
     200 26622 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     110.93.93.232 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1"
     200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     49.144.94.153 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1"
     200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     49.206.63.20 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1"
     200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     75.5.224.39 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1" 200
     29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
SV1)"
     222.253.203.151 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1"
     200 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
SV1)"
     116.71.205.203 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1"
     200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     76.231.201.4 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1"
     200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"
     113.185.6.125 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1"
     200 20250 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
     SV1)"

 This goes on and on.  I've stopped apache and everything seems to be 
 working normally.

 I've found some suggestions that this UA is associated with malicious 
 bots; is this a DDOS?  Who would want to DDOS a piddly discussion 
 forum?  Any advice on making it useable again?

 Thanks,
 Mike

 _______________________________________________
 users mailing list
 users(a)lists.bitfolk.com
 https://lists.bitfolk.com/mailman/listinfo/users 

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Re: [bitfolk] Apache Overwhelmed