Empty User Agents in logs and DDOS

[labrocca]

I was attacked today and this was in logs:

363274:94.123.209.209 - - [25/Mar/2009:08:51:34 -0500] "GET / HTTP/1.1" 200 0 "-" "-"
363414:72.225.24.227 - - [25/Mar/2009:08:52:04 -0500] "GET / HTTP/1.1" 200 0 "-" "-"
363555:24.203.178.133 - - [25/Mar/2009:08:52:10 -0500] "GET / HTTP/1.1" 200 0 "-" "-"
363725:79.119.19.95 - - [25/Mar/2009:08:52:02 -0500] "GET / HTTP/1.1" 200 0 "-" "-"
363836:190.18.101.150 - - [25/Mar/2009:08:52:17 -0500] "GET / HTTP/1.1" 200 0 "-" "-"
364128:80.202.115.136 - - [25/Mar/2009:08:52:31 -0500] "GET / HTTP/1.1" 200 0 "-" "-"
364384:77.38.211.39 - - [25/Mar/2009:08:52:31 -0500] "GET / HTTP/1.1" 200 0 "-" "-"
365046:94.158.208.1 - - [25/Mar/2009:08:52:07 -0500] "GET / HTTP/1.1" 200 0 "-" "-"
365723:82.100.62.217 - - [25/Mar/2009:08:52:19 -0500] "GET / HTTP/1.1" 200 0 "-" "-"
365798:24.109.85.12 - - [25/Mar/2009:08:49:57 -0500] "GET / HTTP/1.1" 200 0 "-" "-"
366242:80.89.61.113 - - [25/Mar/2009:08:52:09 -0500] "GET / HTTP/1.1" 200 0 "-" "-"
366405:87.97.100.4 - - [25/Mar/2009:08:52:55 -0500] "GET / HTTP/1.1" 200 0 "-" "-"
366583:79.107.176.250 - - [25/Mar/2009:08:52:51 -0500] "GET / HTTP/1.1" 200 0 "-" "-"
366747:94.213.128.136 - - [25/Mar/2009:08:51:34 -0500] "GET / HTTP/1.1" 200 0 "-" "-"
366749:86.80.44.197 - - [25/Mar/2009:08:51:40 -0500] "GET / HTTP/1.1" 200 0 "-" "-"
367179:122.53.120.246 - - [25/Mar/2009:08:52:57 -0500] "GET / HTTP/1.1" 200 0 "-" "-"
367208:83.234.198.253 - - [25/Mar/2009:08:52:51 -0500] "GET / HTTP/1.1" 200 0 "-" "-"
367446:89.123.90.79 - - [25/Mar/2009:08:52:04 -0500] "GET / HTTP/1.1" 200 0 "-" "-"
367461:94.19.10.24 - - [25/Mar/2009:08:52:55 -0500] "GET / HTTP/1.1" 200 0 "-" "-"
367482:92.244.134.71 - - [25/Mar/2009:08:52:03 -0500] "GET / HTTP/1.1" 200 0 "-" "-"
367529:95.221.198.71 - - [25/Mar/2009:08:52:57 -0500] "GET / HTTP/1.1" 200 0 "-" "-"
367554:87.97.100.4 - - [25/Mar/2009:08:52:39 -0500] "GET / HTTP/1.1" 200 0 "-" "-"
367609:89.143.62.168 - - [25/Mar/2009:08:52:37 -0500] "GET / HTTP/1.1" 200 0 "-" "-"
367813:89.254.139.55 - - [25/Mar/2009:08:52:40 -0500] "GET / HTTP/1.1" 200 0 "-" "-"
368288:92.252.209.233 - - [25/Mar/2009:08:57:47 -0500] "GET / HTTP/1.1" 200 0 "-" "-"
368290:87.19.111.146 - - [25/Mar/2009:08:52:40 -0500] "GET / HTTP/1.1" 200 0 "-" "-"
368322:200.8.69.57 - - [25/Mar/2009:08:52:41 -0500] "GET / HTTP/1.1" 200 0 "-" "-"
368344:81.182.20.5 - - [25/Mar/2009:08:52:40 -0500] "GET / HTTP/1.1" 200 0 "-" "-"
368382:213.198.202.124 - - [25/Mar/2009:08:52:42 -0500] "GET / HTTP/1.1" 200 0 "-" "-"
368389:77.38.2.60 - - [25/Mar/2009:08:52:51 -0500] "GET / HTTP/1.1" 200 0 "-" "-"
368391:201.0.204.84 - - [25/Mar/2009:08:52:42 -0500] "GET / HTTP/1.1" 200 0 "-" "-"

Appears to be empty requests without user-agents. What's the best method of stopping these type of requests?

 

[Rich-Boy]

I'm pretty sure my servers have been subjected to similar attacks in the past, and I've never found out a direct way of stopping it. There are, however, a couple of things I have implemented which have almost completely stopped such attacks.
- A decent firewall limiting access to the www ports (see http://directadmin.com/forum/showthread.php?p=143260)
- mod_security for Apache

The day that DDoS attacks are no more is the day the Internet takes the next big step.

 

[labrocca]

Well I already run connection limits but the attack involved over 400 bots so even just 20 connections from each is enough to choke apache.

I have a few goodies installed and I added this to htaccess which seems to work:

SetEnvIfNoCase User-Agent ^$ bad_bot

Then of course a "Deny from env=bad_bot" line too.

So far seems good but I am worried about any negative effects this might have from legit bots. I been watching error logs all day and it seems okay.

 

[Dravu]

Well seeing as how it's a DDOS and not a DOS attack, it's gonna be a little bit harder. Mod Security's core rules comes with a few rules to block these attempts, but it still of course doesn't keep them from reaching your server entirely. Only way to really stop this, that I can think of, is a hardware firewall. Otherwise, just deal with it like you currently are.

 

[labrocca]

Well seeing as how it's a DDOS and not a DOS attack, it's gonna be a little bit harder. Mod Security's core rules comes with a few rules to block these attempts, but it still of course doesn't keep them from reaching your server entirely. Only way to really stop this, that I can think of, is a hardware firewall. Otherwise, just deal with it like you currently are.

Already running mod_evasive but personally I am not sure it's doing it's job well enough and documentation for it sucks.

 

[Dravu]

Well mod_evasive is better for DOS attacks. It keeps IPs from making a lot of connections at one time to your server through Apache. That really just leaves it up to how many IPs they have attacking at one time. With it being a DDOS attack, they could easily have enough IPs to where they only need to make a small amount of connections with each IP to bring your server down (and still make it under the mod_evasive threshold).