-----Original Message----- Bob wrote: > Is there a valid reason based on your web server content that people from > China would be accessing your site? Yes, we have a very large quantity of pdfs in Chinese. Converting them to html would presumably reduce the load but I don't think the manpower to do that is there. > If this is a real attack then you were found by rolling through a whole > block of ip address looking for a open port 80. > Change your apache server to use different port say 7788 instead of port 80 > and then use the free www.zoneedit.com dns service to redirect all FQDN to > your websit to include the new port. From that point on only access to your > site would have to done through FQDN. And all those attack port 80 packets > would find no web server at port 80 ending this and future attacks leaving > all your normal server request using your FQDN working as they do now. This > is called hiding in plain sight. > I'm not actually convinced it's an attack, rather than an incompetent spider. Some of the hits come from referrers (other Chinese sites) which have built up a long index of our files, and the spider which is causing the problem is simply running repeatedly through those. But it's an interesting idea; do you have any references from people who have done this, what the potential snags are, etc? Graham From: graham [mailto:graham@xxxxxxxxxxxxxx] Sent: Thursday, June 21, 2007 12:07 PM To: users@xxxxxxxxxxxxxxxx Subject: Re: limiting connections per ip address in apache2 whenunder attack I have been running my apache web server in the above described manner for 6 years now with out any problems. This technique is described in a apache security book I have. I use a firewall to block inbound port 80 and see 20 to 150 daily unsolicited hits on port 80. These are all caused be people scanning a block of ip address searching for open port 80. Once you are found this way your ip address gets posted to news groups where underground attackers share lists of ip address with open port 80. Once you have been posted there, you will really see a large increase of PHP CONNECT attacks. Since you are serving very large quantity of pdfs in Chinese it may just be a matter of time until the China search engines get you indexed for the first time then things should settle down to normal. If this activity continues for more that 10 days then it's not normal search engine indexing but really a attack designed to generate a denial of service situation for your server to stop the Chinese public from accessing you. The Chinese government is known to do this sort of thing to restrict their citizen's access, specially if what you have is considered undesirable information by the Chinese government. So what is the subject matter covered by these Chinese pdf's ????? Bob --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|