Getting Ddos'd

Baxter · Oct 15, 2005

I have a problem with someone dos'ing my box... it makes apache and mysql unavailable and timeout... heres the logs

Code:

216.194.26.101 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:47 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows 98; DigiExt )"
80.58.4.42 - hp6lbu0orcha63 [15/Oct/2005:23:44:47 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; AOL 5.0; Compaq )"
194.109.22.148 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:47 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows 98; DigiExt )"
80.58.51.235 - ye5ht4oazueddg [15/Oct/2005:23:44:47 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT5.0; win9x/NT 4.90 )"
80.58.11.42 - ivlwbux8bd6czf [15/Oct/2005:23:44:47 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows 98; DigiExt )"
65.78.105.153 - xghwch1scq2915 [15/Oct/2005:23:44:48 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; AOL 5.0; DigiExt )"
65.78.105.153 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:48 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows 98; athome020 )"
148.244.150.52 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:48 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.01; AOL 5.0; DigiExt )"
196.203.63.246 - 254tmtr6mn5z5y [15/Oct/2005:23:44:48 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows XP; NetCaptor )"
216.199.217.156 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:48 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT4.0; DigiExt )"
212.117.209.116 - ewspo6b0fry1pb [15/Oct/2005:23:44:48 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT4.0; TWRAITH )"
212.0.128.2 - 89qqbhbm8eki7n [15/Oct/2005:23:44:48 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows XP; athome0107 )"
65.78.105.153 - fgzalrg4ri1lda [15/Oct/2005:23:44:48 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows 98; NetCaptor )"
216.194.26.101 - 6orvxbilff73fw [15/Oct/2005:23:44:48 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT5.0; DigiExt )"
66.187.104.2 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:48 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT5.0; NetCaptor )"
80.58.4.107 - mpe647yhywbn72 [15/Oct/2005:23:44:49 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; AOL 5.0; ezn IE )"
212.117.209.116 - 4xtblugb47kuse [15/Oct/2005:23:44:49 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows XP; win9x/NT 4.90 )"
70.81.255.172 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:49 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT4.0; DigiExt )"
200.67.239.225 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:49 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT5.0; DigiExt )"
200.67.239.225 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:49 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT4.0; FREEI v2.53 )"
212.122.76.212 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:49 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT5.0; MSNIA )"
216.194.26.101 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:49 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT4.0; Compaq )"
12.47.252.130 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:49 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT5.0; DigiExt )"
82.227.132.35 - w7celpu3nhljlj [15/Oct/2005:23:44:49 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT5.0; Compaq )"
68.167.33.18 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:50 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT4.0; DigiExt )"
216.199.217.156 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:50 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows XP; DigiExt )"
64.89.16.7 - hblvlryi1wce4h [15/Oct/2005:23:44:50 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; AOL 5.0; DigiExt )"
61.208.100.2 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:50 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT5.0; DigiExt )"
64.49.50.4 - 8xvbechiqe7vec [15/Oct/2005:23:44:51 -0400] "HEAD http://www.*************.com/index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT5.0; NetCaptor )"
216.199.217.156 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:51 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT5.0; NetCaptor )"
80.58.9.237 - xhat470yi3jgv2 [15/Oct/2005:23:44:51 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows 98; DigiExt )"
80.58.4.107 - zo4gz91pxcd6nh [15/Oct/2005:23:44:51 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows XP; DigiExt )"
61.144.230.42 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:51 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT5.0; Compaq )"
212.5.203.224 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:52 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT5.0; NetCaptor )"
217.19.87.67 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:52 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT5.0; DigiExt )"
216.168.230.197 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:52 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; AOL 5.0; DigiExt )"
61.208.100.2 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:52 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT5.0; DigiExt )"
202.78.224.17 - jlrrk8m26m1ux8 [15/Oct/2005:23:44:52 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; AOL 5.0; TWRAITH )"
80.58.15.170 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:52 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT5.0; DigiExt )"
68.213.5.30 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:52 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT4.0; DigiExt )"
212.122.76.212 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:52 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows 98; DigiExt )"
216.199.217.156 - qttxli2clv2v9h [15/Oct/2005:23:44:52 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows XP; DigiExt )"
61.11.120.213 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:53 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.5; AOL 5.0; DigiExt )"
128.107.253.44 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:53 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows XP; DigiExt )"
216.194.26.101 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:53 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT4.0; DigiExt )"
82.227.132.35 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:53 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.0; AOL 5.0; DigiExt )"
218.189.222.222 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:53 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows 98; win9x/NT 4.90 )"
61.95.224.127 - I-HAVE-A-KNIFE [15/Oct/2005:23:44:53 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT4.0; NetCaptor )"
203.160.244.229 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:17 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows 98; MSNIA )"
203.160.244.229 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:17 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows 98; DigiExt )"
203.160.244.229 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:17 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows 98; DigiExt )"
216.168.230.197 - jlrrk8m26m1ux8 [15/Oct/2005:23:45:17 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows 98; DigiExt )"
66.187.104.2 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:17 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; AOL 5.0; MSNIA )"
211.76.97.247 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:17 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT4.0; Compaq )"
211.76.97.246 - nxs2jgnonk6rlq [15/Oct/2005:23:45:17 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows 98; athome0107 )"
211.76.97.246 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:17 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows 98; DigiExt )"
212.60.64.245 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:18 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows 98; win9x/NT 4.90 )"
222.35.11.126 - y7iyobnjyoirsz [15/Oct/2005:23:45:18 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows 98; DigiExt )"
221.212.177.97 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:18 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT5.0; DigiExt )"
221.10.124.34 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:18 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT5.0; DigiExt )"
221.212.177.97 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:18 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT4.0; TWRAITH )"
81.50.135.12 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:18 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows 98; ezn IE )"
212.60.64.245 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:19 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; AOL 5.0; ezn IE )"
212.60.64.245 - etlr9miobaodk7 [15/Oct/2005:23:45:19 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT5.0; ezn IE )"
68.213.5.30 - naciswiws9uphn [15/Oct/2005:23:45:19 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT5.0; DigiExt )"
61.95.224.127 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:19 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT4.0; DigiExt )"
66.30.8.92 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:19 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows XP; ezn IE )"
61.155.100.58 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:19 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT4.0; NetCaptor )"
63.74.149.243 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:20 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; AOL 5.0; DigiExt )"
63.74.149.243 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:20 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT4.0; MSNIA )"
61.49.3.254 - 68m8lid9tjychi [15/Oct/2005:23:45:20 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT5.0; MSNIA )"
221.10.55.202 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:20 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; AOL 5.0; Compaq )"
64.89.16.7 - 11355agt1ndqz5 [15/Oct/2005:23:45:20 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows XP; win9x/NT 4.90 )"
64.89.16.7 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:20 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT5.0; TWRAITH )"
64.89.16.7 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:20 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; AOL 5.0; DigiExt )"
64.89.16.7 - c1g4b3jhf8vgt9 [15/Oct/2005:23:45:21 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT4.0; athome020 )"
212.147.19.128 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:21 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT4.0; TWRAITH )"
61.145.126.114 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:21 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; AOL 5.0; NetCaptor )"
65.78.105.153 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:21 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; AOL 5.0; DigiExt )"
64.49.50.4 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:21 -0400] "HEAD http://www.*************.com/index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT4.0; DigiExt )"
61.208.100.2 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:21 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT4.0; win9x/NT 4.90 )"
61.3.218.132 - 6hjn4yc0ekjtqf [15/Oct/2005:23:45:21 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows XP; win9x/NT 4.90 )"
61.95.224.127 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:21 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; AOL 5.0; TWRAITH )"
62.248.110.2 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:22 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; AOL 5.0; ezn IE )"
64.89.16.7 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:22 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT4.0; win9x/NT 4.90 )"
61.155.100.58 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:22 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; AOL 5.0; ezn IE )"
64.89.16.7 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:22 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT4.0; ezn IE )"
65.78.105.153 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:22 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows XP; ezn IE )"
61.144.230.42 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:22 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows 98; MSNIA )"
61.144.230.42 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:22 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; AOL 5.0; DigiExt )"
202.28.27.3 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:22 -0400] "HEAD /index.php HTTP/1.1" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT4.0; MSNIA )"
61.208.100.2 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:22 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows XP; NetCaptor )"
221.226.95.80 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:22 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows 98; DigiExt )"
211.76.97.250 - nxs2jgnonk6rlq [15/Oct/2005:23:45:22 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT5.0; DigiExt )"
200.162.68.133 - 11355agt1ndqz5 [15/Oct/2005:23:45:22 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT4.0; DigiExt )"
200.162.68.133 - oufzxla1v22goe [15/Oct/2005:23:45:23 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; AOL 5.0; athome0107 )"
61.208.100.2 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:23 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows 98; DigiExt )"
211.76.97.246 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:23 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.0; AOL 5.0; TWRAITH )"
64.89.16.7 - vrcl4zbmjzc3xi [15/Oct/2005:23:45:23 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows 98; DigiExt )"
61.222.129.20 - I-HAVE-A-KNIFE [15/Oct/2005:23:45:23 -0400] "HEAD /index.php HTTP/1.0" 200 0 "http://www.*************.com/index.php" "Mozilla/5.0 ( compatible; MSIE 5.5; AOL 5.0; MSNIA )"

Any ideas?

hostpc.com · Oct 15, 2005

APF firewall has a nice Anti-DOS routine built in - what are you using for a firewall?

Baxter · Oct 15, 2005

I'm using apf with antidos enabled... I'm not sure if the settings I have are sufficent. or if it would even catch this type of attack

heres the config.antidos

Code:

#
# antidos beta 0.6 [[email protected]]
#
# NOTE: This file should be edited with word/line wrapping off,
#       if your using pico please start it with the -w switch.
#       (e.g: pico -w filename)
#
##
# [Main Configuration]
##

# Installation base path of apf
APF_BASE="/etc/apf"

# Config file path for apf
APF_CNF="$APF_BASE/conf.apf"

# Installation path
INSTALL_PATH="$APF_BASE/ad"

# Log file for antidos
ANTILOG="/var/log/apfados_log"

# Max load; do not allow antidos to run passed this load level
MLOAD="30"

##
# [Attack Triggers & Routines]
##

# Parse klog for iptables logged attacks [0=off,1=on]
LP_KLOG="1"

# Parse snort portscan log for attacks [0=off,1=on]
LP_SNORT="0"

# Try to detect syn-flood attacks [0=off,1=on]
DET_SF="1"

# Kernel log file
KLOG="/var/log/messages"

# Snort portscan log file [experimental]
SLOG="/var/log/snort/portscan.log"

LN="200"

# Trigger value before we drop an event SRC
TRIG="24"

# Trigger value before we drop syn-floods for SRC
SF_TRIG="20"
  #
  # Trigger ports for syn-flood; null for all
  SF_TRIG_PORTS="80,443"
  #
  # Trigger connection types for syn-flood
  SF_TY="SYN_RECV,TIME_WAIT"

##
# [Attack Filtering]
##

# Reject attackers in route table [0=off,1=on]
ROUTE_REJ="0"

# Drop destination interface [0=off,1=on]
DROP_IF="0"
  #
  # Do not drop interface for events matching these ports;
  # line seperated strings.
  NCRIT_PORTS="$INSTALL_PATH/noncrit.ports"

# Block attacks with iptables [0=off,1=on]
IPT_BL="1"
  #
  # Were to write iptable rules too
  BLOCKR="$INSTALL_PATH/ad.rules"

# Parse logs and match accesses from attackers same IP block and ban them
# [0=off,1=on]
NETBLOCK=0
  #
  # Match based on a /16 or /24 mask
  NETBLOCK_MASK=24

##
# [E-Mail Alerts]
##

# Topic for warning emails
ARTOPIC="Urgent: Administrative issue enclosed, please read."

# Max number of emails to send
MAX_MNUM="10"

# Organization name to display on outgoing alert emails
CONAME="Idolhosting Servers"

# Send out user defined attack alerts [0=off,1=on]
USR_ALERT="1"
  #
  # User for alerts to be mailed to
  USR="*************"

# Send out ip-whois abuse alerts upon attack [0=off,1=on]
ARIN_ALERT="0"
  #
  # Whois server for default queries
  IPW_SRV="whois.arin.net"
  #
  # Return path for email alerts (reply address)
  RETUSR="$USR"

##
# [Misc]
##

# Arin attack warning file
WARIN="$INSTALL_PATH/arin.msg"

# User attack warning file
WUSR="$INSTALL_PATH/usr.msg"

# Ignore file, for ignoring hosts/specific patterns
IGNORE="$INSTALL_PATH/ignore"
IGNORE_HOSTS="$INSTALL_PATH/ignore.hosts"

# Data file to track amount of emails sent
MNUM_F="$INSTALL_PATH/.mnum"

# Firewall chains keyword file
FWCHAINS="$INSTALL_PATH/chains"

# Just a temp file we can write to
TMPF="$INSTALL_PATH/.ad.swp"

# Grab the systems numeric timezone (e.g: -0500)
TMZ=`date +"%z"`

# unix time for lock tracking
UTIME=`date +"%s"`

# lock file path
LOCK="$INSTALL_PATH/lock.utime"

# lock file timeout in seconds
LOCK_TIMEOUT="300"

any suggestions?

Megalan-Robert · Oct 17, 2005

Well I don't know how to stop apache attacks, but if you're following this realtime, how much bots can he have?

I'd say write a script that checks the apache log and autoplaces the IP adresses with I-HAVE-A-KNIFE in the ban list.

That should put a stop to it I guess...

squirrelhost · Oct 17, 2005

fair to say that most of these run on
win 9x boxes - why not block all requests from
such OS as standard ?

Chrysalis · Oct 17, 2005

if these are just get requests dos_evasive mod might help you, as well as rate limiting syn.

there are more complex methods which are more effective but out of the scope on this post, if you end up not been able to stop it and it is a domain you can have down for a while reroute them to localhost.

Getting Ddos'd

Baxter

Verified User

hostpc.com

Verified User

Baxter

Verified User

Megalan-Robert

Verified User

squirrelhost

Verified User

Chrysalis

Verified User