Is there a valid reason based on your web server content that people from China would be accessing your site? If not then just deny packets from the complete range of IP address allocated to China??? Many email servers do that to cut off spam from China. Maybe what you are seeing is China search engine robots trying to index your site. You could always add a robot.txt file to your server's path and deny search engine access. If this is a real attack then you were found by rolling through a whole block of ip address looking for a open port 80. Change your apache server to use different port say 7788 instead of port 80 and then use the free www.zoneedit.com dns service to redirect all FQDN to your websit to include the new port. From that point on only access to your site would have to done through FQDN. And all those attack port 80 packets would find no web server at port 80 ending this and future attacks leaving all your normal server request using your FQDN working as they do now. This is called hiding in plain sight. -----Original Message----- From: graham [mailto:graham@xxxxxxxxxxxxxx] Sent: Thursday, June 21, 2007 9:26 AM To: users@xxxxxxxxxxxxxxxx Subject: Re: limiting connections per ip address in apache2 whenunder attack Luis Moreira (ESI-GSQP) wrote: > This is not an "Apache answer", but it may help you. > > Do the IPs vary too much, or can you set up a firewall rule to block > incoming requests (any requests) from those IP ? No, the ip addresses vary too much. I just started apache again, and the new batch of ip addresses are clearly continuing the same web crawl, but totally different from the previous ones. Still based in China though. obrigado pela simpatia... Graham > Sort of your own very personal "black list"? > Of course, should that address decide to post a legitimate request, it would > get blocked but hey, who told them to mess up the first time? > > On the other hand, on http://www.dnsstuff.com/ you can find info on IP > addresses on the net. > Who and were they are, if they belong to spam lists, etc > > > May the farce be with you > > > Luis > > > > -----Original Message----- > From: graham [mailto:graham@xxxxxxxxxxxxxx] > Sent: quinta-feira, 21 de Junho de 2007 13:47 > To: users@xxxxxxxxxxxxxxxx > Subject: limiting connections per ip address in apache2 > whenunder attack > > Hi, > > I've just become involved with a system running apache2.0.55 on ubuntu > with linux 2.6.17. > > The system is currently unable to run due to repeated downloads of a > large number of pdfs by systems located in China. These are hogging all > sockets and eventually causing apache to die (I'm appending more details > below in case I've got the wrong end of the stick). The ip address of > these systems varies; they are not a single block, although they are > obviously working together (different ip addresses will ask for > sequentially related pdfs). Each ip address will request multiple files > in parallel. > > I'm told that the limit_ipconn module would solve my problem by limiting > the simultaneous accesses from any one ip address. There is no version > of this available for apache2 on ubuntu. I'm wondering if this is > because similar abilities have been built into apache2 itself, but > haven't managed to find any. > > Does anyone have any suggestions? > > Thanks > Graham > ----------------------------------------------- > Notes from log: > > The system is running ok, not at particularly heavy load (<1.0), and > apache is apparently running ok and not reporting errors [corrected later]. > > Tailing the apache log file shows that the only accesses to the system > are GETs of pdfs from two chinese systems, 218.4.152.91 and > 222.218.254.221, which are obviously running the same software. > > These systems are trying to systematically work their way through > downloading all chinese pdfs. When a pdf is too large and the download > times out, they immediately try again (at any one moment each system is > trying to download 3 or 4 pdfs). > > If I restart apache, I immediately get accesses from all over the place, > including the 2 chinese systems. Eventually the Chinese accesses capture > all the apache processes, and nothing else can get access. > > 'Solution' found for this: turn apache off for a few minutes. The > chinese systems went away, and all was fine again. > > One hour later ¶ > > The chinese systems, and the problems, returned. A little more data this > time. > > Once the chinese systems are established, netstat shows that they occupy > most sockets but are mostly in CLOSE_WAIT state. All other requests are > stuck in SYNC_RECV. > > After this continues for a while the apache processes gradually start to > die off with the following sequence: > > alert] (11): setuid: unable to change to uid: 33 (33 is www-data) > > [alert] Child 691 returned a Fatal error... Apache is exiting! > > [emerg] (43): couldn't grab the accept mutex > > semop: Invalid argument > > > > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|