You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by John <lo...@gmail.com> on 2005/08/19 17:47:45 UTC
[users@httpd] Apache Log Attack
I am having numerous IPs that are changing daily and constantly
hitting my webserver and taking up about 1Mbit solid 24x7. There is
no POST/GET or any other type of connection, it just seems like they
open port 80 and start pushing tons of junk. The IPs are from APNIC
and are not country specific. Any help would be greatly appreciated,
we are getting slammed by these hits.
Their IP has been changed to aaa.bbb.ccc.ddd and my domain has been
changed to www.mydomain.com.
20050819-10-access.log:aaa.bbb.ccc.ddd www.mydomain.com -
[19/Aug/2005:10:44:20 -0400]
"\xa4Y~5\xcf2\"\xf4\xcc\xcf\xd3\x90-H\xd3\x8f
u\xe6\xd9\x1d*\xe5\xc0\xf7+x\x81\x87D\x0e_P" 302 123 "-" "-"
20050819-10-access.log:aaa.bbb.ccc.ddd www.mydomain.com -
[19/Aug/2005:10:44:20 -0400]
"\xf2\xebq\xff\xa0\xd0;u\x06\x8c~\x87xsM\xd0\
xbe\x82\xbe\xdb\xc2FA+\x8c\xfa0\x7fp\xf0\xa7T\x862\x95\xaa[h\x13\v\xe6\xfc\xf5\xca\xbe}\x9f\x89\x8aA\x1b\xfd\xb8Oh\xf6r{\x14\x99\xcd
\xd3\r\xf0D:\xb4\xa6fS3\v\xcb\xa1\x10^L\xec\x03Ls\xe6\x05\xb41\x0e\xaa\xad\xcf\xd5\xb0\xca'\xff\xd8\x9d\x14M\xf4y'YB|\x9c\xc1\xf8\xc
d\x8c\x87 #d\xb8\xa6\x87\x95L\xb0Z\x8dN-\x99\xe7=\xb1`" 400 299 "-" "-"
20050819-10-access.log:aaa.bbb.ccc.ddd www.mydomain.com -
[19/Aug/2005:10:44:20 -0400]
"\xb1\x80\xad\bA\xe9gA\xa5\xd5\x9f\xe4\x18\x9
f\x15B" 302 123 "-" "-"
20050819-10-access.log:aaa.bbb.ccc.ddd www.mydomain.com -
[19/Aug/2005:10:44:20 -0400]
"\xb8\xe0\xe1`\x8fn<{\xf4[b\x8a\x8a\x8f'\\\xf
7\xe5\x87J;2\x9ba@\x84\xc6\xc3\xb1\xa70J\x10\xeeuo\x03/\x9ej\xef\x10P\x9b\xc8\x81C)(\x8a\xf6\xe9\x9eG\xa1\x81H1l\xcd\xa4\x9e\xde\x81
\xa3\x8c\x98\x10\xff\x9aC\xcd\xcfW\xc7PY\xbf\xbd\x1c'\x03(\x7f]\x89_\xb9I4N`<\xe5\xde\x02\x98B\xb2\r+\xb6\x14\xec\xbb\xb8/s\xe2Q~}\x
1d\xd8\x84\xd3\x1f\x01\xbePk\x16\xd6C!\x83\x19\x15" 400 - "-" "-"
20050819-10-access.log:aaa.bbb.ccc.ddd www.mydomain.com -
[19/Aug/2005:10:44:20 -0400]
"2q\xaf\xf2d\xd0\xf2HA\xd6F_\t\x96\xff\x84\xe
6_\xc5\x17\xc5>\xfc3c\xc3\x84\x92\xab\b\xa3\xaa?\xf0?\x1cU\xadQO\xc4\x85\x96X^\xd5\x88\x1e\x81V\x8c\xbb\xe9\x9fm%\xc8\xeb\t\r\x19\x1
dJ\x071\x01X\xec\x97\xd5\r|\x15\b\xaaH\x0fA\xc8\xd0\x14\xa3\x91\xe8\xb3P/`\x90+\x85\xe3\xb7\xe3\x1d
/-b(\xd3P\x10\x17]\xe7\xe8\xf7\x
c4\xe2\xa8\xe1\xc8\xcf:e\xcaX,-\xe2\x0c`\xdc,b\x05<" 400 299 "-" "-"
20050819-10-access.log:aaa.bbb.ccc.ddd www.mydomain.com -
[19/Aug/2005:10:44:20 -0400]
"O\x12s\xff?\x02\xa3\xb5\x8e\x03\x165\xbf\x9a
\x13=\xed\x88 \xcaj\xe7\xc6\xd2\xa5v\x945Q2g\xf2\xc3&\xe8\x96\x9c\x83U\xfb\xa9\xf3\x85.\x07+&\xb1\x8b\xbfJ\xe3`;\"\xbc\xf2o\b\xbd\v"
400 - "-" "-"
20050819-10-access.log:aaa.bbb.ccc.ddd www.mydomain.com -
[19/Aug/2005:10:44:20 -0400]
"u\xfbs]^\x12\xfe\x93u\xe0\x9e\xd5\x8e8\xed @
\xa5\\\xf6\x99N\x83]\x11\x1c\xb5*\xbd\x1f\xd8\x7f\xc5.s\x93\x18\xce\t\xb1^V\xa6\x84/P\xb7\x91\x82!\x1e\x05h\xed\x86\xb1\xfa\xb5\xf4S
\x8f\xc2\x9f\x173G\x02]UB/\xbd\xc0\xa3fH\xcd\xb0\xe6\x11\xd6\xa8\x03\xed\xed\xa6yv\xce\xc9"
400 299 "-" "-"
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Apache Log Attack
Posted by Joost de Heer <sa...@xs4all.nl>.
> 20050819-10-access.log:aaa.bbb.ccc.ddd www.mydomain.com -
> [19/Aug/2005:10:44:20 -0400]
> "\xa4Y~5\xcf2\"\xf4\xcc\xcf\xd3\x90-H\xd3\x8f
> u\xe6\xd9\x1d*\xe5\xc0\xf7+x\x81\x87D\x0e_P" 302 123 "-" "-"
Doesn't look like a log attack to me, but more like a DoS attack.
Someone's trying to overload your webserver with random crap.
Joost
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org