logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Stopping GET request flooding
Author
santa.klaus



Joined: 11 Feb 2013
Posts: 5

PostPosted: Tue 12 Feb '13 4:05    Post subject: Stopping GET request flooding Reply with quote

Hello apacheloungies,

I'm experiencing many GET requests in the access.log on my server. I've tried to prevent this requests with mod_security but it's not working. Have you any hint how I can manage to deny this requests?

Here is a dump from the access.log:

Code:
201.232.48.212 - - [12/Feb/2013:02:51:53 +0100] "GET /din.aspx?s=00000000&id=118465483&client=DynGate&rnd=80009970&p=10000001 HTTP/1.0" 301 316
200.75.69.57 - - [12/Feb/2013:02:51:53 +0100] "GET /din.aspx?s=00000000&id=677203362&client=DynGate&retry=1&rnd=425798936&p=10000002 HTTP/1.0" 301 329
201.232.48.212 - - [12/Feb/2013:02:51:53 +0100] "GET /din.aspx?s=00000000&id=118465483&client=DynGate&retry=1&rnd=245114880&p=10000002 HTTP/1.0" 301 329
200.75.69.57 - - [12/Feb/2013:02:52:10 +0100] "GET /din.aspx?s=00000000&id=677203362&client=DynGate&rnd=213537933&p=10000001 HTTP/1.0" 301 317
200.75.69.57 - - [12/Feb/2013:02:52:10 +0100] "GET /din.aspx?s=00000000&id=677203362&client=DynGate&retry=1&rnd=379135632&p=10000002 HTTP/1.0" 301 329
201.232.48.212 - - [12/Feb/2013:02:52:12 +0100] "GET /din.aspx?s=00000000&id=118465483&client=DynGate&rnd=197702418&p=10000001 HTTP/1.0" 301 317
201.232.48.212 - - [12/Feb/2013:02:52:12 +0100] "GET /din.aspx?s=00000000&id=118465483&client=DynGate&retry=1&rnd=197702418&p=10000002 HTTP/1.0" 301 329
200.75.69.57 - - [12/Feb/2013:02:52:27 +0100] "GET /din.aspx?s=00000000&id=677203362&client=DynGate&rnd=506118500&p=10000001 HTTP/1.0" 301 317
200.75.69.57 - - [12/Feb/2013:02:52:27 +0100] "GET /din.aspx?s=00000000&id=677203362&client=DynGate&retry=1&rnd=165879798&p=10000002 HTTP/1.0" 301 329
201.232.48.212 - - [12/Feb/2013:02:52:30 +0100] "GET /din.aspx?s=00000000&id=118465483&client=DynGate&rnd=149894745&p=10000001 HTTP/1.0" 301 317
201.232.48.212 - - [12/Feb/2013:02:52:30 +0100] "GET /din.aspx?s=00000000&id=118465483&client=DynGate&retry=1&rnd=149894745&p=10000002 HTTP/1.0" 301 329
200.75.69.57 - - [12/Feb/2013:02:52:44 +0100] "GET /din.aspx?s=00000000&id=677203362&client=DynGate&rnd=292596150&p=10000001 HTTP/1.0" 301 317
200.75.69.57 - - [12/Feb/2013:02:52:44 +0100] "GET /din.aspx?s=00000000&id=677203362&client=DynGate&retry=1&rnd=459401982&p=10000002 HTTP/1.0" 301 329
201.232.48.212 - - [12/Feb/2013:02:52:47 +0100] "GET /din.aspx?s=00000000&id=118465483&client=DynGate&rnd=443746744&p=10000001 HTTP/1.0" 301 317
201.232.48.212 - - [12/Feb/2013:02:52:47 +0100] "GET /din.aspx?s=00000000&id=118465483&client=DynGate&retry=1&rnd=101729728&p=10000002 HTTP/1.0" 301 329


It's about 500 of such requests in 10 minutes. I've activated mod_security. The server loads following default modsecurity.conf with an additional SecRule for my problem on the bottom. But the requests are still logged with a 301 in the access.log.

Quote:
# -- Rule engine initialization ----------------------------------------------

# Enable ModSecurity, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
SecRuleEngine On


# -- Request body handling ---------------------------------------------------

# Allow ModSecurity to access request bodies. If you don't, ModSecurity
# won't be able to see any POST parameters, which opens a large security
# hole for attackers to exploit.
#
SecRequestBodyAccess On


# Enable XML request body parser.
# Initiate XML Processor in case of xml content-type
#
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"


# Maximum request body size we will accept for buffering. If you support
# file uploads then the value given on the first line has to be as large
# as the largest file you are willing to accept. The second value refers
# to the size of data, with files excluded. You want to keep that value as
# low as practical.
#
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072

# Store up to 128 KB of request body data in memory. When the multipart
# parser reachers this limit, it will start using your hard disk for
# storage. That is slow, but unavoidable.
#
SecRequestBodyInMemoryLimit 131072

# What do do if the request body size is above our configured limit.
# Keep in mind that this setting will automatically be set to ProcessPartial
# when SecRuleEngine is set to DetectionOnly mode in order to minimize
# disruptions when initially deploying ModSecurity.
#
SecRequestBodyLimitAction Reject

# Verify that we've correctly processed the request body.
# As a rule of thumb, when failing to process a request body
# you should reject the request (when deployed in blocking mode)
# or log a high-severity alert (when deployed in detection-only mode).
#
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"

# By default be strict with what we accept in the multipart/form-data
# request body. If the rule below proves to be too strict for your
# environment consider changing it to detection-only. You are encouraged
# _not_ to remove it altogether.
#
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200002',phase:2,t:none,log,deny,status:44, \
msg:'Multipart request body failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

# Did we see anything that might be a boundary?
#
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"

# PCRE Tuning
# We want to avoid a potential RegEx DoS condition
#
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000

# Some internal errors will set flags in TX and we will need to look for these.
# All of these are prefixed with "MSC_". The following flags currently exist:
#
# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
#
SecRule TX:/^MSC_/ "!@streq 0" \
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

# -- Response body handling --------------------------------------------------

# Allow ModSecurity to access response bodies.
# You should have this directive enabled in order to identify errors
# and data leakage issues.
#
# Do keep in mind that enabling this directive does increases both
# memory consumption and response latency.
#
SecResponseBodyAccess On

# Which response MIME types do you want to inspect? You should adjust the
# configuration below to catch documents but avoid static files
# (e.g., images and archives).
#
SecResponseBodyMimeType text/plain text/html text/xml

# Buffer response bodies of up to 512 KB in length.
SecResponseBodyLimit 524288

# What happens when we encounter a response body larger than the configured
# limit? By default, we process what we have and let the rest through.
# That's somewhat less secure, but does not break any legitimate pages.
#
SecResponseBodyLimitAction ProcessPartial


# -- Filesystem configuration ------------------------------------------------

# The location where ModSecurity stores temporary files (for example, when
# it needs to handle a file upload that is larger than the configured limit).
#
# This default setting is chosen due to all systems have /tmp available however,
# this is less than ideal. It is recommended that you specify a location that's private.
#
SecTmpDir C:/web/tmp/

# The location where ModSecurity will keep its persistent data. This default setting
# is chosen due to all systems have /tmp available however, it
# too should be updated to a place that other users can't access.
#
SecDataDir C:/web/tmp/


# -- File uploads handling configuration -------------------------------------

# The location where ModSecurity stores intercepted uploaded files. This
# location must be private to ModSecurity. You don't want other users on
# the server to access the files, do you?
#
#SecUploadDir /opt/modsecurity/var/upload/

# By default, only keep the files that were determined to be unusual
# in some way (by an external inspection script). For this to work you
# will also need at least one file inspection rule.
#
#SecUploadKeepFiles RelevantOnly

# Uploaded files are by default created with permissions that do not allow
# any other user to access them. You may need to relax that if you want to
# interface ModSecurity to an external program (e.g., an anti-virus).
#
#SecUploadFileMode 0600


# -- Debug log configuration -------------------------------------------------

# The default debug log configuration is to duplicate the error, warning
# and notice messages from the error log.
#
#SecDebugLog /opt/modsecurity/var/log/debug.log
#SecDebugLogLevel 3


# -- Audit log configuration -------------------------------------------------

# Log the transactions that are marked by a rule, as well as those that
# trigger a server error (determined by a 5xx or 4xx, excluding 404,
# level response status codes).
#
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"

# Log everything we know about a transaction.
SecAuditLogParts ABIJDEFHZ

# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only ocassionally.
#
SecAuditLogType Serial
SecAuditLog logs/modsec_audit.log

# Specify the path for concurrent audit logging.
#SecAuditLogStorageDir /opt/modsecurity/var/audit/


# -- Miscellaneous -----------------------------------------------------------

# Use the most commonly used application/x-www-form-urlencoded parameter
# separator. There's probably only one application somewhere that uses
# something else so don't expect to change this value.
#
SecArgumentSeparator &

# Settle on version 0 (zero) cookies, as that is what most applications
# use. Using an incorrect cookie version may open your installation to
# evasion attacks (against the rules that examine named cookies).
#
SecCookieFormat 0

# Specify your Unicode Code Point.
# This mapping is used by the t:urlDecodeUni transformation function
# to properly map encoded data to your language. Properly setting
# these directives helps to reduce false positives and negatives.
#
#SecUnicodeCodePage 20127
#SecUnicodeMapFile unicode.mapping

# --------------------------------------------------------------------------------------------------------------------------------
# --------------------------------------------------------------------------------------------------------------------------------
#SecDefaultAction log,auditlog,deny,status:406,phase:2,\
SecRule QUERY_STRING "/din.aspx" nolog,deny,status:406

#SecRule REQUEST_HEADERS:Host "^[\d\.]+$" \ "phase:1,t:none,block,msg:'Host is an IP address'"


I'm using Apache 2.4.3 x64 with PHP 5.4.9 x64 on Windows Server 2008 R2.

After searching I found that this requests belong to some Teamviewer stuff. But I never had it installed on the server. I was afraid that my server could have been compromised. But only an up-to-date wordpress application and roundcube are currently installed on this system along with Immunet 3.0 antivirus, that found nothing after a full system scan.

What can I do?

Best Regards
Klaus
Back to top
tdonovan
Moderator


Joined: 17 Dec 2005
Posts: 611
Location: Milford, MA, USA

PostPosted: Tue 12 Feb '13 21:32    Post subject: Reply with quote

Your mod_security rule doesn't seem quite right:
Code:
SecRule QUERY_STRING "/din.aspx" nolog,deny,status:406

Did you mean REQUEST_FILENAME (the part of the URI before the ? character) instead of QUERY_STRING (the part after the ? character)?

Also, response code 403 indicates that the client should not retry. This may be a better response to send than 406.

Perhaps this mod_security rule would work better for you:
Code:
SecRule REQUEST_FILENAME "^/din.aspx" nolog,deny,status:403


-tom-
Back to top
santa.klaus



Joined: 11 Feb 2013
Posts: 5

PostPosted: Wed 13 Feb '13 1:55    Post subject: Reply with quote

Thanks for this help!!!

REQUEST_FILENAME is actually more appropriate. I'll give it a try.

EDIT:

It seems to work, but both mod_security and access.log are logging. The SecRule has the "nolog" action. Why does mod_security still log it? Can I exclude this requests from access.log?
Back to top


Reply to topic   Topic: Stopping GET request flooding View previous topic :: View next topic
Post new topic   Forum Index -> Apache