DOS prevention

J. Wade Michaelis jwade at userfriendlytech.net
Mon Mar 18 15:45:48 CDT 2013 

On Mon, Mar 18, 2013 at 2:58 PM, Mark Hutchings <mark.hutchings at gmail.com>wrote:

>  You sure it was just a http attack?   Several hundred requests in a few
> minutes shouldnt really put it on it's knees, unless the server is a VPS
> with low memory/CPU usage limits, or the server itself is low on resources.
>
>

I've gone over my access logs again, and here are the particulars on the
two attacks that caused the server to hang:

On March 6th, between 4:29:11 and 4:31:40, there were 1453 requests from a
single IP, and all were 'GET' requests for a single page (one that *does*exist).

On March 14th, between 15:15:19 and 15:16:29, there were 575 requests from
the one IP address.  These were all different GET requests, nearly all
resulting in 404 errors.  Some appear to be WordPress URLs.  (The website
on my server is a Magento commerce site.)

Here are some other example requests from the attack:

   - GET /?_SERVER[DOCUMENT_ROOT]=http://google.com/humans.txt? HTTP/1.1
   -
   - GET /?npage=1&content_dir=http://google.com/humans.txt%00&cmd=lsHTTP/1.1
   - GET /A-Blog/navigation/links.php?navigation_start=
   http://google.com/humans.txt? HTTP/1.1
   - GET /Administration/Includes/deleteUser.php?path_prefix=
   http://google.com/humans.txt HTTP/1.1
   -
   - GET /BetaBlockModules//Module/Module.php?path_prefix=
   http://google.com/humans.txt HTTP/1.1
   - GET /admin/header.php?loc=http://google.com/humans.txt HTTP/1.1

I don't recognize most of these, but the pattern indicates to me that these
are most likely 'standard' URLs in various CMSs.

As for the server configuration, it is a dedicated server (only one
website) running on VMware ESXi 5.0.

   - CentOS 6.3
   - 8 virtual CPU cores (2 quad-core CPUs)
   - 4096 MB memory

Other VMs on the same host appeared to be unaffected by the attack.

Thanks,
~ j.
jwade at userfriendlytech.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kclug.org/pipermail/kclug/attachments/20130318/fb1efd34/attachment-0001.html>

More information about the KCLUG mailing list