Apache being attack - ASAP

[BeBop]

I run my buisiness website from my home, and yesterday i got over 10,000 hits on it - all illegitamate traffic.

As soon as i start apache up on the server my bandwidth starts getting eaten up.

How in the heck do I fix this? Is this something in the ipchain's i can specifiy so people can't use GET things like that to bog down my server?

Screens:




Please help asap...

Thanks in advance to anyone who helps, this place is always great - and thank you panther since im sure your probably the first one to respond

[DevilDog#1]

Do you have any physical security devices? i.e. Firewalls ?

Edit: Which version of Apache do you have? And which patches are installed on it?

Edit # 2: Oh and which OS you running Apache HTTP on?

[BeBop]

Mandrake 9.2
The apache that comes with it [2.x]
Firewalled router only has port 80 open tot hat...

Right now I've moved it over to a different box, CentOS 4, SELinux, Firewalled hardware + software, apache hardened, and looks like its stopped.

[DevilDog#1]

Check this out. Might have issues related to your prob.

[Scott]

Although it's annoying there is not much you can do about it as they do look like legit requests, even though they are not.

I can only think of two things, block each and every IP that it comes from (will take awhile) or you can look into an apache mod called MOD Security. I've never used it but there are alot of things you can do with it to protect yourself.

To help build of list of IP's to ban easier there is a script called LogWatch (I think that's what it is) and it will tally each entry in the log and give you the IP addy plus how many times it made a connection. Make sure you look up each IP before you ban it though (http://www.dnsstuff.com) to make sure your not banning anyone trying to do business.

IPChains (IP Tables?) may have something in it, but I am not very fluent with either since I always used a seperate program for simplicity.

[DevilDog#1]

Oh and when you findout what fixed it eventually let us know too please

[BeBop]

I will, hardening the new server fixed the major bandwidth issues i was having but im sitll getting those ungodly amounts of requests (which in turn is creating massive log files x.x

-- looking into what P said and going to block them

[DevilDog#1]

Maybe one or more sites you hosting have streaming media on it?

[BeBop]

Im only hosting my one buisiness site - seems like im getting hit by proxies a fck load though

heres some of hte list so far - i need to see if this gets rid of them

Code:

:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A INPUT -s 218.89.53.168 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -s 12.208.236.118 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -s 129.240.91.6 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -s 194.29.137.71 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -s 195.182.138.206 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -s 198.104.137.12 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -s 198.104.137.13 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -s 198.104.137.14 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -s 198.104.137.15 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -s 198.65.144.236 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -s 200.125.51.54 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -s 200.125.51.64 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -s 201.132.37.108 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -s 201.217.190.80 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -s 202.201.11.200 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -s 202.229.212.142 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -s 136.188.0.29 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -s 203.136.188.29 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -s 66.246.252.0/255.255.255.0 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -s 222.122.0.0/255.255.0.0 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -s 222.141.0.0/255.255.0.0 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -s 222.184.0.0/255.255.0.0 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -s 222.188.0.0/255.255.0.0 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -s 222.89.0.0/255.255.0.0 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -s 64.200.20.114 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -s 66.230.178.26 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -s 207.46.250.119 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -s 207.46.130.108 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -s 213.83.55.1 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -s 66.28.56.152 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -s 82.92.34.5 -p tcp -m tcp --dport 80 -j DROP
-A FORWARD -j RH-Firewall-1-INPUT
-A OUTPUT -s 130.117.156.231 -p tcp -m tcp --dport 80 -j DROP
-A OUTPUT -s 130.117.156.232 -p tcp -m tcp --dport 80 -j DROP
-A OUTPUT -s 130.117.156.233 -p tcp -m tcp --dport 80 -j DROP
-A OUTPUT -s 130.117.156.234 -p tcp -m tcp --dport 80 -j DROP
-A OUTPUT -s 64.200.20.114 -p tcp -m tcp --dport 80 -j DROP
-A OUTPUT -s 66.230.178.26 -p tcp -m tcp --dport 80 -j DROP
-A OUTPUT -s 213.83.55.1 -p tcp -m tcp --dport 80 -j DROP
-A OUTPUT -s 82.92.34.5 -p tcp -m tcp --dport 80 -j DROP

[DevilDog#1]

Maybe business is picking up?

[BeBop]

Well im using iptraf to monitor kbytes out - and it looks like visits/hour is ogne down as well as bandwidth usage, im just watching TCP/IP traffic and blocking any asian IPs i see [221 222 223 etc >.<] or any unusual activity i see going on.

[DevilDog#1]

http://www.apnic.net/index.html your friends and thier pictures. (http://www.apnic.net/info/staff/index.html)

[BeBop]

x.x;

[Steve]

Quote:

Originally posted by DevilDog#1
http://www.apnic.net/index.html your friends and thier pictures. (http://www.apnic.net/info/staff/index.html)

kinda has a the feel of a anonymous proxy providing site /address / server.

[SilentTrigger]

Quote:

Originally posted by Scott
Although it's annoying there is not much you can do about it as they do look like legit requests, even though they are not.

I can only think of two things, block each and every IP that it comes from (will take awhile) or you can look into an apache mod called MOD Security. I've never used it but there are alot of things you can do with it to protect yourself.

To help build of list of IP's to ban easier there is a script called LogWatch (I think that's what it is) and it will tally each entry in the log and give you the IP addy plus how many times it made a connection. Make sure you look up each IP before you ban it though (http://www.dnsstuff.com) to make sure your not banning anyone trying to do business.

IPChains (IP Tables?) may have something in it, but I am not very fluent with either since I always used a seperate program for simplicity.

Something totaly different. I LOVE DNSSTUFF.COM!

EDIT: I know our squad site had a mysql security issue where it was bogged down by queries till it stoped allowing it, and its seems as if Kirk*MFA* made it stopp (might been his connection with FBI though lol) But we have never had any problem since. Might be a good thing to ask him if he knows a way to prevent this (the server has moved to the inner core of the network though so it might be that). But it might be a good thing to talk to him as he works for a big hosting company that is aimed for profecionall buissness hosting.

Can be reached here: http://dfmafia.net/forums

[BeBop]

Thanks Trig I think I will, but right now the problem seems to be fixed. I put up a Hardware firewall, ran ipchains firewall, enabled SE[security enhanced] Linux for CentOS4 and limited port activity to TCP 80, UDP/TCP 1716-1717 (AA server) and bandwidth out is about .4Kbytes a sec which is much better than the 60KB/sec i had on the toher server.

Only problem: Instead of them [the attackers] being able to use my server as a proxy [which they were doing] I'm know getting tons and tons of 404 errors from them

Little thing from Webalizer when run:
200 OK : 200 someodd hits
404 Error [lol] : 109,000+ hehehe

Whatever i did i think i fixed it except for that minor annoyance.

[SilentTrigger]

lmao thats a few 404 errors! Well seems like it was sorted out then! I'm pretty sure you will continue to get them till they realice its not there anymore Which might be a while knowing how stupid some people are hehe

Good thing that you got a Hardware firewall, software is good but a hardware firewall is so much more secure, doesnt matter if its a router or a dedicated firewall, will do a better job then a software either way!

Have a hardware myself, aswell as software (can call me a bit paranoied lol, but i like my server and other computers on the network to be secure! the server is rearly online though lol)

[BeBop]

Heh, its upto about 140k 404's now, but it looks like hits are dropping down - im getting about 100 [visits is what webalizer calls them] per hour, its still about 1100 visits per day thoughw hich is a little high.

[SilentTrigger]

yeah, well i hope the 404 spamming stops lol