Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: Dealing with malicious high-traffic reqeuests |
|
Author |
|
Aaron44126
Joined: 22 Jun 2011 Posts: 7
|
Posted: Wed 22 Jun '11 16:21 Post subject: Dealing with malicious high-traffic reqeuests |
|
|
Hi everyone.
Running Apache 2.2.19 on Windows (with PHP 5.3.6 and SVN 1.6.17 modules, otherwise a pretty standard deployment).
I run actually about 20 different low-traffic sites with virtual hosts. My web server's upstream bandwidth is pretty low (~3 megabits), which is completely fine for my normal load.
This morning I noticed that all of my sites were unresponsive. I restarted the Apache service and the problem was fixed, but it returned a few minutes later. After bouncing the service two or three times with the problem continuing to return, I dug into the access log files.
I found repeated requests from the same IP address to a large ZIP file hosted on one of the sites.
Code: | 41.206.147.72 - - [22/Jun/2011:10:01:40 -0400] "GET /path/to/big/file.zip HTTP/1.1" 206 3342524
41.206.147.72 - - [22/Jun/2011:10:01:43 -0400] "GET /path/to/big/file.zip HTTP/1.1" 206 8047861
41.206.147.72 - - [22/Jun/2011:10:01:46 -0400] "GET /path/to/big/file.zip HTTP/1.1" 206 4370096
41.206.147.72 - - [22/Jun/2011:10:01:46 -0400] "GET /path/to/big/file.zip HTTP/1.1" 206 1783043
41.206.147.72 - - [22/Jun/2011:10:01:52 -0400] "GET /path/to/big/file.zip HTTP/1.1" 206 8515445
41.206.147.72 - - [22/Jun/2011:10:01:55 -0400] "GET /path/to/big/file.zip HTTP/1.1" 206 6904684
etc... |
It looks like this had been going on for several hours before I noticed it. I believe the status code of 206 indicates that it was just a request for a part of the file. I actually can't be sure if it was malicious activity or some download manager gone crazy (user agent reports IE9 on Windows 7), but it was really killing the performance of all of my sites. I blocked the IP address and the problem went away, but the requests continue even now.
Code: | 41.206.147.72 - - [22/Jun/2011:10:04:59 -0400] "GET /path/to/big/file.zip HTTP/1.1" 403 223
41.206.147.72 - - [22/Jun/2011:10:04:59 -0400] "GET /path/to/big/file.zip HTTP/1.1" 403 223
41.206.147.72 - - [22/Jun/2011:10:05:00 -0400] "GET /path/to/big/file.zip HTTP/1.1" 403 223
41.206.147.72 - - [22/Jun/2011:10:05:01 -0400] "GET /path/to/big/file.zip HTTP/1.1" 403 223
41.206.147.72 - - [22/Jun/2011:10:05:01 -0400] "GET /path/to/big/file.zip HTTP/1.1" 403 223 |
My question to you is, what are some ways to go about dealing with this problem? If something similar happens in the future, I don't want to have to go crawl around in the logs to figure out which domain is getting the requests, and then manually block the IP address. Are there any options or modules that can be used to limit repeated requests or even detect this sort of activity and auto-block the IP?
Don't need a whole tutorial, just a push in the right direction.
Thanks in advance! |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7371 Location: Germany, Next to Hamburg
|
Posted: Wed 22 Jun '11 16:43 Post subject: |
|
|
I think Mod Bandwidth you can limit that. See the project page for more info about this module. http://bwmod.sourceforge.net/
I know only a VC9 build on apachehaus.com Which mean it won't load into apache from apache.org, but in apache from apachelounge or apachehaus. I think if you realy need to use apache from apache.org we find a way to compile it with VC6. |
|
Back to top |
|
Aaron44126
Joined: 22 Jun 2011 Posts: 7
|
Posted: Wed 22 Jun '11 16:52 Post subject: |
|
|
Thanks for your reply, I'll look into that. I'm using the Apache Lounge VC9 build so I should be able to use that one. |
|
Back to top |
|
|
|
|
|
|