GET attack

[SupermanInNY]

I'm getting ddosed or Get attacked:



84.94.146.242 - - [24/Dec/2005:01:16:22 +0200] "GET / HTTP/1.1" 200 17738 "-" "Mozilla/4.0 (compatible)"
82.80.192.94 - - [24/Dec/2005:01:16:22 +0200] "GET / HTTP/1.1" 200 12678 "-" "Mozilla/4.0 (compatible)"
59.8.222.71 - - [24/Dec/2005:01:16:22 +0200] "GET / HTTP/1.1" 200 12581 "-" "Mozilla/4.0 (compatible)"
70.244.56.75 - - [24/Dec/2005:01:16:22 +0200] "GET / HTTP/1.1" 200 12606 "-" "Mozilla/4.0 (compatible)"
24.132.72.115 - - [24/Dec/2005:01:16:22 +0200] "GET / HTTP/1.1" 200 21438 "-" "Mozilla/4.0 (compatible)"
82.80.13.247 - - [24/Dec/2005:01:16:22 +0200] "GET / HTTP/1.1" 200 11706 "-" "Mozilla/4.0 (compatible)"
80.96.97.176 - - [24/Dec/2005:01:16:22 +0200] "GET / HTTP/1.0" 200 15607 "-" "Mozilla/4.0 (compatible)"
212.179.237.118 - - [24/Dec/2005:01:16:22 +0200] "GET / HTTP/1.1" 200 11778 "-" "Mozilla/4.0 (compatible)"
82.166.252.226 - - [24/Dec/2005:01:16:22 +0200] "GET / HTTP/1.1" 200 12606 "-" "Mozilla/4.0 (compatible)"
84.110.22.150 - - [24/Dec/2005:01:16:23 +0200] "GET / HTTP/1.1" 200 12498 "-" "Mozilla/4.0 (compatible)"
81.218.125.60 - - [24/Dec/2005:01:16:23 +0200] "GET / HTTP/1.1" 200 12498 "\xb0L\x91|Z" "Mozilla/4.0 (compatible)"
84.177.235.173 - - [24/Dec/2005:01:16:23 +0200] "GET / HTTP/1.1" 200 12606 "-" "Mozilla/4.0 (compatible)"
68.78.138.194 - - [24/Dec/2005:01:16:23 +0200] "GET / HTTP/1.1" 200 12606 "-" "Mozilla/4.0 (compatible)"
217.132.127.65 - - [24/Dec/2005:01:16:23 +0200] "GET / HTTP/1.1" 200 11778 "-" "Mozilla/4.0 (compatible)"
86.132.44.112 - - [24/Dec/2005:01:16:23 +0200] "GET / HTTP/1.1" 200 34580 "-" "Mozilla/4.0 (compatible)"
83.26.94.67 - - [24/Dec/2005:01:16:23 +0200] "GET / HTTP/1.1" 200 14138 "-" "Mozilla/4.0 (compatible)"
83.9.246.222 - - [24/Dec/2005:01:16:23 +0200] "GET / HTTP/1.1" 200 12761 "-" "Mozilla/4.0 (compatible)"
80.230.82.190 - - [24/Dec/2005:01:16:23 +0200] "GET / HTTP/1.1" 200 11778 "-" "Mozilla/4.0 (compatible)"
217.132.144.6 - - [24/Dec/2005:01:16:23 +0200] "GET / HTTP/1.1" 200 11778 "-" "Mozilla/4.0 (compatible)"
62.143.201.130 - - [24/Dec/2005:01:16:23 +0200] "GET / HTTP/1.1" 200 12610 "-" "Mozilla/4.0 (compatible)"
62.123.122.235 - - [24/Dec/2005:01:16:23 +0200] "GET / HTTP/1.1" 200 12678 "-" "Mozilla/4.0 (compatible)"
83.130.58.212 - - [24/Dec/2005:01:16:23 +0200] "GET / HTTP/1.1" 200 11778 "-" "Mozilla/4.0 (compatible)"
85.65.12.154 - - [24/Dec/2005:01:16:23 +0200] "GET / HTTP/1.1" 200 12606 "-" "Mozilla/4.0 (compatible)"
84.4.87.65 - - [24/Dec/2005:01:16:23 +0200] "GET / HTTP/1.1" 200 12606 "-" "Mozilla/4.0 (compatible)"
86.199.192.40 - - [24/Dec/2005:01:16:23 +0200] "GET / HTTP/1.1" 200 21318 "-" "Mozilla/4.0 (compatible)"
82.199.191.168 - - [24/Dec/2005:01:16:23 +0200] "GET / HTTP/1.1" 200 12761 "-" "Mozilla/4.0 (compatible)"
83.193.132.208 - - [24/Dec/2005:01:16:24 +0200] "GET / HTTP/1.1" 200 12606 "-" "Mozilla/4.0 (compatible)"
84.110.42.108 - - [24/Dec/2005:01:16:24 +0200] "GET / HTTP/1.1" 200 12606 "]?j?t?~?\x96?\xa7?\xae?\xbd?\xd3?\xda?\xe1?\xf0?
" "Mozilla/4.0 (compatible)"
85.250.241.66 - - [24/Dec/2005:01:16:24 +0200] "GET / HTTP/1.0" 200 11787 "-" "Mozilla/4.0 (compatible)"
84.130.207.200 - - [24/Dec/2005:01:16:24 +0200] "GET / HTTP/1.1" 200 12498 "-" "Mozilla/4.0 (compatible)"
80.230.222.132 - - [24/Dec/2005:01:16:24 +0200] "GET / HTTP/1.1" 200 12237 "-" "Mozilla/4.0 (compatible)"
62.0.93.9 - - [24/Dec/2005:01:16:25 +0200] "GET / HTTP/1.1" 200 11778 "-" "Mozilla/4.0 (compatible)"
81.218.125.60 - - [24/Dec/2005:01:16:25 +0200] "GET / HTTP/1.1" 200 12498 "\xb0L\x91|Z" "Mozilla/4.0 (compatible)"
217.132.5.165 - - [24/Dec/2005:01:16:25 +0200] "GET / HTTP/1.1" 200 11778 "-" "Mozilla/4.0 (compatible)"
70.244.56.75 - - [24/Dec/2005:01:16:25 +0200] "GET / HTTP/1.1" 200 34583 "-" "Mozilla/4.0 (compatible)"
84.109.32.160 - - [24/Dec/2005:01:16:25 +0200] "GET / HTTP/1.1" 200 12498 "\xb0L\x91|\\" "Mozilla/4.0 (compatible)"




This is jumping the CPU from 0.20 to 117.0 in two minutes and it goes up easy to over 300.

Any pointers?
Dos_evasive is already installed but is showing no effect.
Any suggestions on how to block this?

-Alon.

 

[hostpc.com]

What firewall are you running?

 

[Chrysalis]

it depends on how many source ip's are involved in how effective tools like dos_evasive are.

But things you can try are.

Rate limiting syn's.
Disabling the target domain/ip, this will obviously disable that domain fully but at least allow the webserver to function, you may need to nullroute the ip and move all other domains of the old ip tho.
Apply per domain limit's in apache. This may or may not be effective again, I would expect it to stop the get processes been processed once above the domain resource limit but it will still use some sort of resource for each incoming connection to the server.

 

[nobaloney]

This appears to be a typical distributed DOS attack, and the only real way to manage them as at a border router.

They're not easy to manage.

Google is your friend.

Jeff

 

[SupermanInNY]

it depends on how many source ip's are involved in how effective tools like dos_evasive are.

But things you can try are.

Rate limiting syn's.
Disabling the target domain/ip, this will obviously disable that domain fully but at least allow the webserver to function, you may need to nullroute the ip and move all other domains of the old ip tho.
Apply per domain limit's in apache. This may or may not be effective again, I would expect it to stop the get processes been processed once above the domain resource limit but it will still use some sort of resource for each incoming connection to the server.

This is a Single Domain server. Practically dedicated to that single domain. No other domains on this server, so there is no other domain handling needed.
As for the sourcese_ips that generate the attack, it appears they come in tens or hundreds of different IPs.
I'm using APF as the firewall. I've added a handful of IPs to the REJECT list with the attempt to block them, but it had no effect, apparently there are too many different IPs launching the attack at this time.
This has started 7 hours ago and is still going. Every few hours I try to start the apache again, but the attack is still on.

Perhaps I'm not configuring the APF correctly, but I don't know what to config to stop specifically these GET attacks.

Any suggestions?

EDIT:

Hi Jeff,

Yes.. google is my best friend, yet my 'friend' isn't providing any immediate solutions. In fact, it just tells me that "u'r in trouble,. no remedy".

Aside from this attack, we have been hit on another server with syn attacks (someone really likes us and gives a lot of affection).

If anyone has a solution on how to collect those IPs and stick them into the APF blocks, maybe that would help??

Aside from that, are the any suggestions on any 3rd party vendors for hardware/software solution to that?

Anyone has any experience with CheckPoint or McAfee IntruShield?


-Alon.

 

[hostpc.com]

Do you have the anti-dos (AD) section of APF enabled? Have you restarted the firewall so the changes take effect? (/etc/apf/apf -r)

Joe

 

[nobaloney]

APF can't stop a distributed DOS attack.

Can you move the server to another IP# (this will require DA to reissue the license)? This would be the best bet.

And then I'd have the upstream nulroute the old IP#, as Chrysalis suggests.

Yes, as in your PS to me, basically you're in trouble.

A nice upstream and changing the IP(s) is often the best way to handle it.

Big companies use hardware solutions to switch quickly between IP#s, but there's nothing magic going on.

And of course a wide enough pipe and a fance (read: expensive) hardware filter, and you don't even notice it at the server.

Jeff

 

[SupermanInNY]

APF can't stop a distributed DOS attack.

Can you move the server to another IP# (this will require DA to reissue the license)? This would be the best bet.

And then I'd have the upstream nulroute the old IP#, as Chrysalis suggests.

Yes, as in your PS to me, basically you're in trouble.

A nice upstream and changing the IP(s) is often the best way to handle it.

Big companies use hardware solutions to switch quickly between IP#s, but there's nothing magic going on.

And of course a wide enough pipe and a fance (read: expensive) hardware filter, and you don't even notice it at the server.

Jeff

I'm currently out of available IPs, so I'm stuck for the weekend.
I don't care so much for the DA portion, as although it is installed, for now, this is, as mentioned, just a single domain server.

However, that will actually not prove of value, as the hits are not IP based, but rather name base, so changing the IPs is of no effect.

For the APF portion,. yes I had re-ran as suggested, but to no avail.



--------------
Big companies use hardware solutions to switch quickly between IP#s, but there's nothing magic going on.

What do you mean?
We are willing to spend the extra buck for the right hardware.
Previously (few weeks ago) we had a hardware called: Fortigate 200A installed, but it didn't stop syn attacks so we stopped using it. Mind you this is not a cheap solution (about $USD3,000) and we decided it is not doing what we need.
We are looking into other solutions as I mentioned, and would love to hear of other products or solutions.
A bigger pipe for the current server again is of no issue, as the server load is rising with no regards to the connection.
Are there any Cisco or other mfcs who you would recommend or mention for me to further explore? Would CheckPoint have a product that will handle this right?


EDIT:
I've changed IPs for the domain and the attack seems to be no longer affecting my server.
I'm glad to learn that the GET attack is IP bound and not Named based.
Thanks Jeff for that pointer!
However,. this is a short lived win as I'm sure in the next day the attacker will switch IPs, so we'll see how that goes.

-Alon.

 

[nobaloney]

Alon called me and we spent a few minutes going over options.

I told him I didn't think the attack was name-based. My thoughts were that I'd never heard of any name-based distributed attack mechanism.

Luckily I was right, as a name-based attack would be almost impossible to block.

Let me explain what I meant by nothing magic going on:

There's some very expensive hardware out there that attempts to determine attack signatures, and then block those packets.

As Alon mentioned, they're not perfect.

And even if they were, they can't stop those incoming packets, so you'd need a very wide pipe (so the desired packets will still be able to get through to your network).

Even when changing IP#s, unless your upstream can null-route the old IP# for you, those packets are still impacting your network.

It was good speaking with you last night, Alon.

Good Luck!

Jeff

 

[CiscoMike]

just my $0.02, this is a worm...kinda. I've been getting hit by this for well over a week as have most servers that are on the internet. I would bet that is most people in these forums looked at the apache logs, they'd see this. Look in your errors_log and you see a bunch of failed PUTs too.

What happened was that during one of PHP's many vulnerabilities, some server had a script uploaded to it w/o the admin's knowledge or consent. It's usually in the /tmp directory and it executes all the time, each time finding another IP address to hit. If it finds a successful host to attack, that host gets infected too and the cycle continues but now with yet another host out there doing the scanning.

This isn't a DA problem, FYI. It's an apache/php problem. the attack is too slow to be stopped by mod_evasive although mod_security does wonders. I'm in the process of putting together a country specific ban list for IPTables blocking most of Asia since that's where 80% of this particular issue is originating from. I was gonna ask about http://www.maxmind.com/app/mod_geoip and I will in another thread but that might be an option as well.

For now, just keep your PHP and PHP based apps up to date. Make sure Apache is up to date as well and you'll be fine. Add rules to IPTables to block offenders and you'll be the best off. It sucks but there isn't much you can do about it unfortunately.


edit: oops, I didn't look at his gets. they're all blank. my bad, that is a SYN flood on his apache. forgive me, I thought it was the php script scanner.