Re: limiting connections per ip address in apache2 whenunder attack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Bob wrote:

Is there a valid reason based on your web server content that people from
China would be accessing your site?
Yes, we have a very large quantity of pdfs in Chinese. Converting them to html would presumably reduce the load but I don't think the manpower to do that is there. 


If not then just deny packets from the
complete range of IP address allocated to China??? Many email servers do
that to cut off spam from China. Maybe what you are seeing is China search
engine robots trying to index your site. You could always add a robot.txt
file to your server's path and deny search engine access.



As stated above, I'm afraid that's not possible.



If this is a real attack then you were found by rolling through a whole
block of ip address looking for a open port 80.
Change your apache server to use different port say 7788 instead of port 80
and then use the free www.zoneedit.com dns service to redirect all FQDN to
your websit to include the new port.  From that point on only access to your
site would have to done through FQDN.  And all those attack port 80 packets
would find no web server at port 80 ending this and future attacks leaving
all your normal server request using your FQDN working as they do now. This
is called hiding in plain sight.
I'm not actually convinced it's an attack, rather than an incompetent spider. Some of the hits come from referrers (other Chinese sites) which have built up a long index of our files, and the spider which is causing the problem is simply running repeatedly through those.
But it's an interesting idea; do you have any references from people who have done this, what the potential snags are, etc? 

Graham



-----Original Message-----
From: graham [mailto:graham@xxxxxxxxxxxxxx]
Sent: Thursday, June 21, 2007 9:26 AM
To: users@xxxxxxxxxxxxxxxx
Subject: Re:  limiting connections per ip address in apache2
whenunder attack

Luis Moreira (ESI-GSQP) wrote:

This is not an "Apache answer", but it may help you.

Do the IPs vary too much, or can you set up a firewall rule to block
incoming requests (any requests) from those IP ?


No, the ip addresses vary too much. I just started apache again, and the
new batch of ip addresses are clearly continuing the same web crawl, but
totally different from the previous ones. Still based in China though.

obrigado pela simpatia...

Graham


Sort of your own very personal "black list"?
Of course, should that address decide to post a legitimate request, it

would

get blocked but hey, who told them to mess up the first time?

On the other hand, on http://www.dnsstuff.com/ you can find info on IP
addresses on the net.
Who and were they are, if they belong to spam lists, etc


May the farce be with you


Luis



-----Original Message-----
From: graham [mailto:graham@xxxxxxxxxxxxxx]
Sent: quinta-feira, 21 de Junho de 2007 13:47
To: users@xxxxxxxxxxxxxxxx
Subject:  limiting connections per ip address in apache2
whenunder attack

Hi,

I've just become involved with a system running apache2.0.55 on ubuntu
with linux 2.6.17.

The system is currently unable to run due to repeated downloads of a
large number of pdfs by systems located in China. These are hogging all
sockets and eventually causing apache to die (I'm appending more details
below in case I've got the wrong end of the stick). The ip address of
these systems varies; they are not a single block, although they are
obviously working together (different ip addresses will ask for
sequentially related pdfs). Each ip address will request multiple files
in parallel.

I'm told that the limit_ipconn module would solve my problem by limiting
the simultaneous accesses from any one ip address. There is no version
of this available for apache2 on ubuntu. I'm wondering if this is
because similar abilities have been built into apache2 itself, but
haven't managed to find any.

Does anyone have any suggestions?

Thanks
Graham
-----------------------------------------------
Notes from log:

The system is running ok, not at particularly heavy load (<1.0), and
apache is apparently running ok and not reporting errors [corrected

later].

Tailing the apache log file shows that the only accesses to the system
are GETs of pdfs from two chinese systems, 218.4.152.91 and
222.218.254.221, which are obviously running the same software.

These systems are trying to systematically work their way through
downloading all chinese pdfs. When a pdf is too large and the download
times out, they immediately try again (at any one moment each system is
trying to download 3 or 4 pdfs).

If I restart apache, I immediately get accesses from all over the place,
including the 2 chinese systems. Eventually the Chinese accesses capture
all the apache processes, and nothing else can get access.

'Solution' found for this: turn apache off for a few minutes. The
chinese systems went away, and all was fine again.

One hour later ¶

The chinese systems, and the problems, returned. A little more data this
time.

Once the chinese systems are established, netstat shows that they occupy
most sockets but are mostly in CLOSE_WAIT state. All other requests are
stuck in SYNC_RECV.

After this continues for a while the apache processes gradually start to
die off with the following sequence:

alert] (11): setuid: unable to change to uid: 33 (33 is www-data)

[alert] Child 691 returned a Fatal error... Apache is exiting!

[emerg] (43): couldn't grab the accept mutex

semop: Invalid argument





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux