[users@httpd] DDOS

[Leonardo Neves <le...@gmail.com>]

Hi,

My apache server this receiving flooding from solicitations HTTP of
diverse places, as shown in log below (access_log). How to block this?
My environment is mandriva 2007.0, kernel 2.6.17-5mdv
packages:
[root@ideafix ~]# rpm -qa | grep apache
apache-conf-2.2.3-3mdv2007.0
apache-mpm-prefork-2.2.3-1mdv2007.0
apache-base-2.2.3-1mdv2007.0
apache-modules-2.2.3-1mdv2007.0
apache-mod_ssl-2.2.3-1mdv2007.0
apache-mod_php-5.1.6-2mdv2007.0

Thanks,
Leo.

207.44.158.30 - - [01/Nov/2006:21:07:04 -0300] "GET
http://www.yceml.net/0717/10371789-3.gif HTTP/1.1" 206 300
"http://auction
24.ws/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT)"
66.79.189.8 - - [01/Nov/2006:21:06:54 -0300] "POST
http://219.133.51.184/login HTTP/1.1" 200 260
"http://qqshow.qq.com/inc/i_l
.shtml" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.79.189.15 - - [01/Nov/2006:21:07:17 -0300] "POST
http://219.133.40.148/login HTTP/1.1" 200 260
"http://qqshow.qq.com/inc/i_
l.shtml" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.79.189.12 - - [01/Nov/2006:21:07:27 -0300] "POST
http://219.133.41.81/login HTTP/1.1" 200 260
"http://qqshow.qq.com/inc/i_l
.shtml" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.79.189.9 - - [01/Nov/2006:21:07:36 -0300] "GET
http://verify.qq.com/getimage?0.5233314004944895 HTTP/1.1" 200 638
"http://q
qshow.qq.com/inc/i_l.shtml" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] DDOS

[Joshua Slive <jo...@slive.ca>]

On 11/8/06, Leonardo Neves <le...@gmail.com> wrote:
> Thanks for reply. I removed mod_proxy and the problem continued. Some
> another ideia?

The requests aren't going to instantly stop.  You've been running an
open proxy server that is probably being exploited by an army of
compromised drone computers.  This may go on for a while, since it is
unlikely that bad guys will retest your server.

But you should check to make sure that the requests are now failing
(giving a 4xx status code or returning your own home page).

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] DDOS

[Leonardo Neves <le...@gmail.com>]

Thanks for reply. I removed mod_proxy and the problem continued. Some
another ideia?

Leo.

2006/11/8, Joshua Slive <jo...@slive.ca>:
> On 11/8/06, Leonardo Neves <le...@gmail.com> wrote:
> > Hi,
> >
> > My apache server this receiving flooding from solicitations HTTP of
> > diverse places, as shown in log below (access_log). How to block this?
> > My environment is mandriva 2007.0, kernel 2.6.17-5mdv
> > packages:
> >
> > 207.44.158.30 - - [01/Nov/2006:21:07:04 -0300] "GET
> > http://www.yceml.net/0717/10371789-3.gif HTTP/1.1" 206 300
> > "http://auction
> > 24.ws/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT)"
> > 66.79.189.8 - - [01/Nov/2006:21:06:54 -0300] "POST
> > http://219.133.51.184/login HTTP/1.1" 200 260
> > "http://qqshow.qq.com/inc/i_l
> > .shtml" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
>
> It looks like you are running an open proxy server.
> http://httpd.apache.org/docs/1.3/misc/FAQ.html#proxyscan
>
> You should remove mod_proxy if you don't need it, or at the very least set
> ProxyRequests Off
>
> Joshua.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] DDOS

[Joshua Slive <jo...@slive.ca>]

On 11/8/06, Leonardo Neves <le...@gmail.com> wrote:
> Hi,
>
> My apache server this receiving flooding from solicitations HTTP of
> diverse places, as shown in log below (access_log). How to block this?
> My environment is mandriva 2007.0, kernel 2.6.17-5mdv
> packages:
>
> 207.44.158.30 - - [01/Nov/2006:21:07:04 -0300] "GET
> http://www.yceml.net/0717/10371789-3.gif HTTP/1.1" 206 300
> "http://auction
> 24.ws/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT)"
> 66.79.189.8 - - [01/Nov/2006:21:06:54 -0300] "POST
> http://219.133.51.184/login HTTP/1.1" 200 260
> "http://qqshow.qq.com/inc/i_l
> .shtml" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

It looks like you are running an open proxy server.
http://httpd.apache.org/docs/1.3/misc/FAQ.html#proxyscan

You should remove mod_proxy if you don't need it, or at the very least set
ProxyRequests Off

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org