logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Apache 2.2 is flooded with "POST" requests
Author
Chainz



Joined: 17 Jul 2014
Posts: 2
Location: Bulgaria

PostPosted: Thu 17 Jul '14 19:41    Post subject: Apache 2.2 is flooded with "POST" requests Reply with quote

Hi
I'm running a website on Apache 2.2.25 with PHP 5.3.6 and mod_security 2.7.6 on a Windows server 2003.
A couple of days ago my website went down due to a attack with excessive amount of "POST" requests, which the server can't handle. Below I'm attaching 30 seconds of the Apache access log file.

I don't have a clue how to oppose to this. My site is still down.

Can I add a rule to mod_security, or add some other mod to Apache which will counteract this?

If anyone needs more information, I will post it immediately.

Thank you in advance.

Code:
80.38.20.160 - - [17/Jul/2014:17:12:00 +0300] "POST / HTTP/1.1" 200 32257
85.9.73.110 - - [17/Jul/2014:17:12:00 +0300] "POST / HTTP/1.1" 200 32247
116.98.49.182 - - [17/Jul/2014:17:12:00 +0300] "POST / HTTP/1.1" 200 32243
113.166.33.35 - - [17/Jul/2014:17:12:00 +0300] "POST / HTTP/1.1" 200 32231
182.73.114.10 - - [17/Jul/2014:17:12:00 +0300] "POST / HTTP/1.1" 200 32243
80.68.181.78 - - [17/Jul/2014:17:12:01 +0300] "POST / HTTP/1.0" 200 32247
90.157.203.10 - - [17/Jul/2014:17:12:02 +0300] "POST / HTTP/1.1" 200 32226
41.32.112.239 - - [17/Jul/2014:17:12:01 +0300] "POST / HTTP/1.1" 200 32241
78.187.3.101 - - [17/Jul/2014:17:12:01 +0300] "POST / HTTP/1.1" 200 32243
2.182.246.208 - - [17/Jul/2014:17:12:02 +0300] "POST / HTTP/1.1" 200 32243
213.135.242.112 - - [17/Jul/2014:17:12:03 +0300] "POST / HTTP/1.1" 200 32282
91.93.35.43 - - [17/Jul/2014:17:12:01 +0300] "POST / HTTP/1.1" 200 31942
....
....
....
....
190.199.226.161 - - [17/Jul/2014:17:12:28 +0300] "POST / HTTP/1.1" 200 32243
212.170.193.84 - - [17/Jul/2014:17:12:29 +0300] "POST / HTTP/1.1" 200 32246
95.224.106.6 - - [17/Jul/2014:17:12:29 +0300] "POST / HTTP/1.1" 200 32257
80.86.56.70 - - [17/Jul/2014:17:12:29 +0300] "POST / HTTP/1.1" 200 32247
113.186.24.16 - - [17/Jul/2014:17:12:30 +0300] "POST / HTTP/1.1" 200 32241
94.153.131.10 - - [17/Jul/2014:17:12:29 +0300] "POST / HTTP/1.1" 200 32247
178.131.107.108 - - [17/Jul/2014:17:12:30 +0300] "POST / HTTP/1.1" 200 32256
2.176.199.94 - - [17/Jul/2014:17:12:31 +0300] "POST / HTTP/1.1" 200 32247
114.79.28.99 - - [17/Jul/2014:17:12:30 +0300] "POST / HTTP/1.1" 200 32255
190.87.187.149 - - [17/Jul/2014:17:12:31 +0300] "POST / HTTP/1.1" 200 32236
85.247.131.232 - - [17/Jul/2014:17:12:30 +0300] "POST / HTTP/1.1" 200 32218
Back to top
jraute



Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany

PostPosted: Wed 23 Jul '14 9:08    Post subject: Reply with quote

Sorry, this is traffic for sure, but not extensively.
Back to top
Chainz



Joined: 17 Jul 2014
Posts: 2
Location: Bulgaria

PostPosted: Wed 23 Jul '14 11:39    Post subject: Reply with quote

I can assure you that my site does not have that many visitors, beacuse of the fact that I am running it for more than five years and there was no such traffic what so ever, and all of a sudden, boom four five requests per second non stop for over e week now. That's not right. And since I applied mod_security, at least I got the site back running. When I didn't have it it just froze with 100% of CPU usage.
And futhermore the access log file looks a lot different when someone actually visits the site, it's not just "POST" ....

So anyone have another idea? How to further fix this?
Back to top
AdrianK_IT



Joined: 30 May 2013
Posts: 34
Location: Scottish Borders, UK

PostPosted: Wed 30 Jul '14 20:33    Post subject: Reply with quote

Hi Chainz

Are you still having problems? What sort of firewall options do you have on your server, or router?

I use a PHP script, run daily, which semi-automatically analyses my logs and writes any IP address exhibiting unwanted behaviour (request strings, user agents) into an .xml file which I can import into my server firewall (Comodo) blocklist.

For (my) security reasons, I'm not willing to go into detail. However, if you can code in PHP, I could give you some pointers.
Back to top


Reply to topic   Topic: Apache 2.2 is flooded with "POST" requests View previous topic :: View next topic
Post new topic   Forum Index -> Apache