Anyone seeing a lot of these in their webserver logs? 208.202.180.4 - - [18/Sep/2001:11:19:31 -0700] "-" 408 - I'm attempting to pattern match this on my cisco so I can drop the packets at the front door. I can't seem to get a good pattern. Firing up snoop yields: ETHER: ----- Ether Header ----- ETHER: ETHER: Packet 262 arrived at 11:35:57.88 ETHER: Packet size = 60 bytes ETHER: Destination = 8:0:20:9d:e1:8a, Sun ETHER: Source = 0:1:96:24:c2:41, ETHER: Ethertype = 0800 (IP) ETHER: IP: ----- IP Header ----- IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: xxx. .... = 0 (precedence) IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: Total length = 40 bytes IP: Identification = 19380 IP: Flags = 0x4 IP: .1.. .... = do not fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 122 seconds/hops IP: Protocol = 6 (TCP) IP: Header checksum = 5ca8 IP: Source address = 208.178.66.12, 208.178.66.12 IP: Destination address = 208.178.117.2, Espresso.NEEBU.Net IP: No options IP: TCP: ----- TCP Header ----- TCP: TCP: Source port = 3082 TCP: Destination port = 80 (HTTP) TCP: Sequence number = 1100924065 TCP: Acknowledgement number = 2712346555 TCP: Data offset = 20 bytes TCP: Flags = 0x10 TCP: ..0. .... = No urgent pointer TCP: ...1 .... = Acknowledgement TCP: .... 0... = No push TCP: .... .0.. = No reset TCP: .... ..0. = No Syn TCP: .... ...0 = No Fin TCP: Window = 8760 TCP: Checksum = 0x6128 TCP: Urgent pointer = 0 TCP: No options TCP: HTTP: ----- HTTP: ----- HTTP: HTTP: "" HTTP: 0: 0800 209d e18a 0001 9624 c241 0800 4500 .. ......$.A..E. 16: 0028 4bb4 4000 7a06 5ca8 d0b2 420c d0b2 .(K.@.z.\...B... 32: 7502 0c0a 0050 419e c4a1 a1ab 1fbb 5010 u....PA.......P. 48: 2238 6128 0000 0000 0000 0000 "8a(........ -- /*====================[ Jake Khuon <khuon@GBLX.Net> ]======================+ | Chief Global Data Network Management Architect /~_ |_ () |3 /-\ |_ | | VOX: +1 (425) 391-2262 Fax: +1 (425) 391-6772 \_| C R O S S I N G | +=============[ 900 4th. Ave., Floor 12, Seattle, WA 98164 ]=============*/
On Tuesday, September 18, 2001, at 02:36 PM, Jake Khuon wrote:
Anyone seeing a lot of these in their webserver logs?
208.202.180.4 - - [18/Sep/2001:11:19:31 -0700] "-" 408 -
This machine is in my /8 ----- 207.202.84.209 - - [18/Sep/2001:15:16:48 -0400] "-" 408 - 207.202.84.209 - - [18/Sep/2001:15:18:18 -0400] "-" 408 - 207.202.84.209 - - [18/Sep/2001:15:19:48 -0400] "-" 408 - 207.202.84.209 - - [18/Sep/2001:15:21:18 -0400] "-" 408 - 207.202.84.209 - - [18/Sep/2001:15:22:48 -0400] "-" 408 - 207.202.84.209 - - [18/Sep/2001:15:24:18 -0400] "-" 408 - 207.202.84.209 - - [18/Sep/2001:15:25:48 -0400] "-" 408 - 207.202.84.209 - - [18/Sep/2001:15:27:18 -0400] "-" 408 - 207.202.84.209 - - [18/Sep/2001:15:28:48 -0400] "-" 408 - 207.202.84.209 - - [18/Sep/2001:15:30:18 -0400] "-" 408 - 207.202.84.209 - - [18/Sep/2001:15:31:48 -0400] "-" 408 - 207.202.84.209 - - [18/Sep/2001:15:33:18 -0400] "-" 408 - 207.202.84.209 - - [18/Sep/2001:15:34:48 -0400] "-" 408 - 207.202.84.209 - - [18/Sep/2001:15:36:18 -0400] "-" 408 - 207.202.84.209 - - [18/Sep/2001:15:37:48 -0400] "-" 408 - 207.202.84.209 - - [18/Sep/2001:15:39:19 -0400] "-" 408 - ----- Every minute and a half, on the money, weird. -----
telnet 207.202.84.209 80 Trying 207.202.84.209... Connected to 207.202.84.209. Escape character is '^]'. HEAD / HTTP/1.0
HTTP/1.1 200 OK Server: Microsoft-IIS/4.0 Date: Tue, 18 Sep 2001 20:05:15 GMT Content-Type: text/html Set-Cookie: ASPSESSIONIDQQGQGGBK=HCBJIPMDEMHKDLBPMKMDDOMN; path=/ Cache-control: private Connection closed by foreign host.
------ What else....
* Bill McGonigle (mcgonigle@medicalmedia.com) [09/18/01 15:43]:
On Tuesday, September 18, 2001, at 02:36 PM, Jake Khuon wrote:
Anyone seeing a lot of these in their webserver logs?
208.202.180.4 - - [18/Sep/2001:11:19:31 -0700] "-" 408 -
This machine is in my /8
----- 207.202.84.209 - - [18/Sep/2001:15:16:48 -0400] "-" 408 - 207.202.84.209 - - [18/Sep/2001:15:18:18 -0400] "-" 408 - 207.202.84.209 - - [18/Sep/2001:15:19:48 -0400] "-" 408 -
Doesn't seem new... 195.188.192.18 - - [13/Sep/1999:02:23:43 -0500] "-" 408 - "-" "-" 195.188.192.18 - - [14/Sep/1999:02:18:54 -0500] "-" 408 - "-" "-" But just a little more increased.
### On Tue, 18 Sep 2001 17:03:44 -0500, mike@biggorilla.com casually decided ### to expound upon Bill McGonigle <mcgonigle@medicalmedia.com> the ### following thoughts about "Re: Pattern matching odd HTTP request": m> * Bill McGonigle (mcgonigle@medicalmedia.com) [09/18/01 15:43]: m> > m> > m> > On Tuesday, September 18, 2001, at 02:36 PM, Jake Khuon wrote: m> > > m> > > Anyone seeing a lot of these in their webserver logs? m> > > m> > > 208.202.180.4 - - [18/Sep/2001:11:19:31 -0700] "-" 408 - m> > m> > This machine is in my /8 m> > m> > ----- m> > 207.202.84.209 - - [18/Sep/2001:15:16:48 -0400] "-" 408 - m> > 207.202.84.209 - - [18/Sep/2001:15:18:18 -0400] "-" 408 - m> > 207.202.84.209 - - [18/Sep/2001:15:19:48 -0400] "-" 408 - m> m> Doesn't seem new... m> m> 195.188.192.18 - - [13/Sep/1999:02:23:43 -0500] "-" 408 - "-" "-" m> 195.188.192.18 - - [14/Sep/1999:02:18:54 -0500] "-" 408 - "-" "-" m> m> But just a little more increased. Yeah. I was trying to figure out a way to match it in my NBAR filters but I can't seem to find a pattern that works. -- /*====================[ Jake Khuon <khuon@GBLX.Net> ]======================+ | Chief Global Data Network Management Architect /~_ |_ () |3 /-\ |_ | | VOX: +1 (425) 391-2262 Fax: +1 (425) 391-6772 \_| C R O S S I N G | +=============[ 900 4th. Ave., Floor 12, Seattle, WA 98164 ]=============*/
mike@biggorilla.com(mike@biggorilla.com)@2001.09.18 17:03:44 +0000: [...]
Doesn't seem new...
195.188.192.18 - - [13/Sep/1999:02:23:43 -0500] "-" 408 - "-" "-" 195.188.192.18 - - [14/Sep/1999:02:18:54 -0500] "-" 408 - "-" "-"
But just a little more increased.
--- rfc2616 - http 1.1: 10.4.9 408 Request Timeout The client did not produce a request within the time that the server was prepared to wait. The client MAY repeat the request without modifications at any later time. --- take care, /k --
Coders do it with a routine. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 Please do not remove my address from To: and Cc: fields in mailing lists. 10x
### On Wed, 19 Sep 2001 00:20:19 +0200, "Karsten W. Rohrbach" ### <karsten@rohrbach.de> casually decided to expound upon ### mike@biggorilla.com the following thoughts about "Re: Pattern matching ### odd HTTP request": KWR> mike@biggorilla.com(mike@biggorilla.com)@2001.09.18 17:03:44 +0000: KWR> [...] KWR> > Doesn't seem new... KWR> >=20 KWR> > 195.188.192.18 - - [13/Sep/1999:02:23:43 -0500] "-" 408 - "-" "-" KWR> > 195.188.192.18 - - [14/Sep/1999:02:18:54 -0500] "-" 408 - "-" "-" KWR> >=20 KWR> > But just a little more increased. KWR> KWR> --- rfc2616 - http 1.1: KWR> 10.4.9 408 Request Timeout KWR> KWR> The client did not produce a request within the time that the server KWR> was prepared to wait. The client MAY repeat the request without KWR> modifications at any later time. KWR> --- KWR> KWR> take care, Yes... but when you're seeing this: ... 208.178.31.134 - - [18/Sep/2001:15:22:21 -0700] "-" 408 - 208.178.176.105 - - [18/Sep/2001:15:22:23 -0700] "-" 408 - 208.178.47.36 - - [18/Sep/2001:15:23:19 -0700] "-" 408 - 208.178.144.36 - - [18/Sep/2001:15:23:30 -0700] "-" 408 - 208.178.120.13 - - [18/Sep/2001:15:23:37 -0700] "-" 408 - 208.178.31.138 - - [18/Sep/2001:15:23:42 -0700] "-" 408 - 208.35.212.156 - - [18/Sep/2001:15:23:49 -0700] "-" 408 - 208.178.176.105 - - [18/Sep/2001:15:23:49 -0700] "-" 408 - 208.178.176.105 - - [18/Sep/2001:15:23:49 -0700] "-" 408 - 208.178.31.134 - - [18/Sep/2001:15:23:51 -0700] "-" 408 - 208.178.176.105 - - [18/Sep/2001:15:23:52 -0700] "-" 408 - 208.178.47.36 - - [18/Sep/2001:15:24:49 -0700] "-" 408 - 208.178.144.36 - - [18/Sep/2001:15:25:00 -0700] "-" 408 - 208.178.120.13 - - [18/Sep/2001:15:25:07 -0700] "-" 408 - 208.178.31.138 - - [18/Sep/2001:15:25:12 -0700] "-" 408 - 208.178.176.105 - - [18/Sep/2001:15:25:18 -0700] "-" 408 - 208.178.176.105 - - [18/Sep/2001:15:25:19 -0700] "-" 408 - 208.35.212.156 - - [18/Sep/2001:15:25:20 -0700] "-" 408 - 208.178.31.134 - - [18/Sep/2001:15:25:22 -0700] "-" 408 - 208.178.176.105 - - [18/Sep/2001:15:25:23 -0700] "-" 408 - 208.178.47.36 - - [18/Sep/2001:15:26:19 -0700] "-" 408 - 208.178.120.13 - - [18/Sep/2001:15:26:37 -0700] "-" 408 - ... You start to suspect a DDOS port-flood attack. It's certainly causing me to spawn a lot of httpds and occupying a lot of ports. -- /*====================[ Jake Khuon <khuon@GBLX.Net> ]======================+ | Chief Global Data Network Management Architect /~_ |_ () |3 /-\ |_ | | VOX: +1 (425) 391-2262 Fax: +1 (425) 391-6772 \_| C R O S S I N G | +=============[ 900 4th. Ave., Floor 12, Seattle, WA 98164 ]=============*/
On Tuesday, September 18, 2001, at 06:30 PM, Jake Khuon wrote:
You start to suspect a DDOS port-flood attack. It's certainly causing me to spawn a lot of httpds and occupying a lot of ports.
This isn't good. I wrote a bit of test code to see what would happen if I had alot of timeouts: #----- use Net::Telnet; my $num_open = 400; sub doConnect { my $telnet_handle = Net::Telnet->new(Port=>'80'); $telnet_handle->open("localhost"); if ($num_open > 0) { print "$num_open..."; $num_open--; doConnect(); } else { sleep(20); } } doConnect(); print "\n"; #----- On Apache 1.3, this brings the number of httpd processes up to MaxClients, then each one waits 300 seconds (the default timeout) for the connections to time out, at which point the other connections are made, and the cycle continues. A DDOS of this nature would be particularly nasty. One client (happened to be on localhost) tied up the server for 6 minutes this way with the default Apache config. Here's what the logfile for these attempts looks like: 127.0.0.1 - - [18/Sep/2001:18:43:06 -0400] "-" 408 - Doh! ----- Bill McGonigle Research & Development Medical Media Systems, Inc. http://www.medicalmedia.com +1.603.298.5509x329
Bill McGonigle(mcgonigle@medicalmedia.com)@2001.09.18 18:58:42 +0000:
On Tuesday, September 18, 2001, at 06:30 PM, Jake Khuon wrote:
You start to suspect a DDOS port-flood attack. It's certainly causing me to spawn a lot of httpds and occupying a lot of ports.
[...]
On Apache 1.3, this brings the number of httpd processes up to MaxClients, then each one waits 300 seconds (the default timeout) for the connections to time out, at which point the other connections are made, and the cycle continues. A DDOS of this nature would be particularly nasty. One client (happened to be on localhost) tied up the server for 6 minutes this way with the default Apache config.
indeed, that's nasty. the quick fix action would be setting Timeout 5 in the httpd.conf, but this won't really fix the problem and make the objects inaccessible for users with high latency links. source ip based connection rate limiting would perhaps solve the problem. are there any modules available out there to accomplish this task?
Here's what the logfile for these attempts looks like:
127.0.0.1 - - [18/Sep/2001:18:43:06 -0400] "-" 408 -
Doh!
yup, i see them from time to time in some of my servers' logs, but not at that rate jake reported. i cc'ed brian from the apache project, perhaps they got some solution for this... /k --
CS Students do it in the pool. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 Please do not remove my address from To: and Cc: fields in mailing lists. 10x
Date: Tue, 18 Sep 2001 18:58:42 -0400 From: Bill McGonigle <mcgonigle@medicalmedia.com>
[ snip ]
On Apache 1.3, this brings the number of httpd processes up to
[ snip ] Jake, what server OS? Iff FreeBSD >= 4.0, check out the man page for accf_http(9). Consider hacking Ap to use it... accept(2) won't even see the connection until the socket is valid. I don't know what the timeout is, but that'll help prevent Ap from forking just to generate 408s. Disclaimer: I've not used accf_http on Ap. It seems to work well on some R&D work that I've done, although I've not tested the stock accf_http extensively. Eddy --------------------------------------------------------------------------- Brotsman & Dreger, Inc. - EverQuick Internet Division Phone: +1 (316) 794-8922 Wichita/(Inter)national Phone: +1 (785) 865-5885 Lawrence --------------------------------------------------------------------------- Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.
participants (6)
-
Bill McGonigle
-
E.B. Dreger
-
Jake Khuon
-
Jake Khuon
-
Karsten W. Rohrbach
-
mike@biggorilla.com