When you have a server in a public network it will receive all sorts of odd attempts and random useless connections, paying attention to each and every one of them will just drive you nuts. If you are really concerned, add IPS, Firewall, etc to your DMZ. But going round and round over a few odd requests is practically futile. El mar, 1 nov 2022 a las 18:33, Darryl Philip Baker (<darryl.baker@xxxxxxxxxxxxxxxx>) escribió: > > While they do bother me, but I can’t just block a random cloud address the source IP is probably dynamic so who know when any of them will be assigned to something legit. I just wanted to be sure that there wasn’t a real vulnerability they were trying to exploit. Obviously you can’t DDoS with a single request but if they are just going for a DoS it has been possible to do to some applications in the past with a small number of requests over time. These request are appearing on all the nodes in the cluster. Since nothing is mishandling the requests I will just monitor for any changes. > > > > Darryl Baker, GSEC, GCLD (he/him/his) > > Sr. System Administrator > > Distributed Application Platform Services > > Northwestern University > > 4th Floor > > 2020 Ridge Avenue > > Evanston, IL 60208-0801 > > darryl.baker@xxxxxxxxxxxxxxxx > > (847) 467-6674 > > > > From: Frank Gingras <thumbs@xxxxxxxxxx> > Reply-To: Apache httpd Users <users@xxxxxxxxxxxxxxxx> > Date: Tuesday, November 1, 2022 at 12:11 PM > To: Apache httpd Users <users@xxxxxxxxxxxxxxxx> > Subject: Re: Questionable URL being sent to our server > > > > I would not attribute this to a "DoS", as you can't really DoS httpd with a single request. It looks like plain URL encoding. > > > > If those log entries bother you, firewall their IP range(s). > > > > On Tue, 1 Nov 2022 at 11:13, Darryl Philip Baker <darryl.baker@xxxxxxxxxxxxxxxx> wrote: > > They are mostly using GET but there were a couple of HEAD requests. The requests are coming from cloud accounts on Google and Amazon. They are using several variations of the URL most get 404 errors, which is responded with by a custom 404 page, this is the only one that is getting a 400 error. > > > > Darryl Baker, GSEC, GCLD (he/him/his) > > Sr. System Administrator > > Distributed Application Platform Services > > Northwestern University > > 4th Floor > > 2020 Ridge Avenue > > Evanston, IL 60208-0801 > > darryl.baker@xxxxxxxxxxxxxxxx > > (847) 467-6674 > > > > From: Frank Gingras <thumbs@xxxxxxxxxx> > Reply-To: Apache httpd Users <users@xxxxxxxxxxxxxxxx> > Date: Tuesday, November 1, 2022 at 9:32 AM > To: Apache httpd Users <users@xxxxxxxxxxxxxxxx> > Subject: Re: Questionable URL being sent to our server > > > > What is the HTTP method you see in the logs? > > > > Either way, they may trying to use your server as an open proxy, and failing to do so. > > > > > > On Tue, 1 Nov 2022 at 10:27, Darryl Philip Baker <darryl.baker@xxxxxxxxxxxxxxxx> wrote: > > We are getting a poorly formed URL being requested from our servers. Apache is returning a 400 error but I am wondering if someone is try to exploit an issue with some version of some web server out there. Maybe a Dos attack or worse. Anyone have a clue what is being attempted? > > > > Sketchy URL: https://www.northwestern.edu/accounting-scrvices/Annual%252ORepothtm > > > > Darryl Baker, GSEC, GCLD (he/him/his) > > Sr. System Administrator > > Distributed Application Platform Services > > Northwestern University > > 4th Floor > > 2020 Ridge Avenue > > Evanston, IL 60208-0801 > > darryl.baker@xxxxxxxxxxxxxxxx > > (847) 467-6674 -- Daniel Ferradal HTTPD Project #httpd help at Libera.Chat --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx