lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20060827171125.5e1a0a60.largret@gmail.com>
Date:	Sun, 27 Aug 2006 17:11:25 -0700
From:	Chris Largret <largret@...il.com>
To:	altendew <andrew@...ftcode.com>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: Server Attack


I'm going to go ahead and top-post on this (sorry). There has to be a limited number of computers these requests are coming from since the requests are coming over TCP. I'd write a quick script to grab the ip addresses and block them at the firewall level. Maybe something like this:

tail -f /var/log/apache/access_log|grep AppleWebKit|cut '-d ' -f 1|xargs /sbin/iptables -A INPUT -p tcp -j DROP -s

I haven't tested it (don't have a problem on my current server), but it _should_ follow the Apache requests, grab the IP addresses of users with a UserAgent of AppleWebKit and drop all TCP packets from the IP address until you reset your firewall.

~ Chris Largret


On Sun, 27 Aug 2006 14:58:37 -0700 (PDT)
altendew <andrew@...ftcode.com> wrote:

> 
> Hi someone is currently sending requests to our server 20x a second.
> 
> Here is what one of the logs look like.
> 
> [CODE]
> Host: 84.77.19.46   /signUp.php?ref=1945777  
>   Http Code: 403  Date: Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
> Bytes: -  
>   Referer: -  
>   Agent: Mozilla/5.0 (Macintosh; MTQ; PPC Mac OS X; en-US) AppleWebKit/578.4
> (KHTML, like Geco, Safari) OmniWeb/v643.68e=C:  
> 
> Host: 82.234.98.65   /signUp.php?ref=ec0lag  
>   Http Code: 403  Date: Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
> Bytes: -  
>   Referer: -  
>   Agent: Mozilla/5.0 (Macintosh; CDB; PPC Mac OS X; en-US) AppleWebKit/126.0
> (KHTML, like Geco, Safari) OmniWeb/v554.35  
> 
> Host: 84.94.31.161   /signUp.php?ref=ec0lag  
>   Http Code: 403  Date: Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
> Bytes: -  
>   Referer: -  
>   Agent: Mozilla/5.0 (Macintosh; TLD; PPC Mac OS X; en-US) AppleWebKit/502.6
> (KHTML, like Geco, Safari) OmniWeb/v401.63ive=C:  
> 
> Host: 81.49.24.92   /signUp.php?ref=1945777  
>   Http Code: 403  Date: Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
> Bytes: -  
>   Referer: -  
>   Agent: Mozilla/5.0 (Macintosh; SZS; PPC Mac OS X; en-US) AppleWebKit/230.1
> (KHTML, like Geco, Safari) OmniWeb/v710.56ive=C:  
> 
> Host: 80.129.248.17   /signUp.php?ref=1945777  
>   Http Code: 403  Date: Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
> Bytes: -  
>   Referer: -  
>   Agent: Mozilla/5.0 (Macintosh; OST; PPC Mac OS X; en-US) AppleWebKit/243.6
> (KHTML, like Geco, Safari) OmniWeb/v846.88  
> 
> Host: 87.235.49.194   /signUp.php?ref=ec0lag  
>   Http Code: 403  Date: Aug 27 17:44:38  Http Version: HTTP/1.1  Size in
> Bytes: -  
>   Referer: -  
>   Agent: Mozilla/5.0 (Macintosh; SDD; PPC Mac OS X; en-US) AppleWebKit/430.1
> (KHTML, like Geco, Safari) OmniWeb/v145.34  
> 
> Host: 125.129.12.61   /signUp.php?ref=1945777  
>   Http Code: 403  Date: Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
> Bytes: -  
>   Referer: -  
>   Agent: Mozilla/5.0 (Macintosh; WCG; PPC Mac OS X; en-US) AppleWebKit/455.3
> (KHTML, like Geco, Safari) OmniWeb/v042.84stemDrive=\x81  
> 
> Host: 66.110.153.47   /signUp.php?ref=ec0lag  
>   Http Code: 403  Date: Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
> Bytes: -  
>   Referer: -  
>   Agent: Mozilla/5.0 (Macintosh; ZAM; PPC Mac OS X; en-US) AppleWebKit/387.2
> (KHTML, like Geco, Safari) OmniWeb/v456.02ve=C:  
> 
> Host: 62.2.177.250   /signUp.php?ref=ec0lag  
>   Http Code: 403  Date: Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
> Bytes: -  
>   Referer: -  
>   Agent: Mozilla/5.0 (Macintosh; LMZ; PPC Mac OS X; en-US) AppleWebKit/206.1
> (KHTML, like Geco, Safari) OmniWeb/v204.07es  
> 
> Host: 200.115.226.143   /signUp.php?ref=1945777  
>   Http Code: 403  Date: Aug 27 17:44:37  Http Version: HTTP/1.1  Size in
> Bytes: -  
>   Referer: -  
>   Agent: Mozilla/5.0 (Macintosh; EDE; PPC Mac OS X; en-US) AppleWebKit/647.0
> (KHTML, like Geco, Safari) OmniWeb/v760.47emDrive=C:\x81  
> 
> Host: 84.171.125.189   /signUp.php?ref=1945777  
>   Http Code: 403  Date: Aug 27 17:44:37  Http Version: HTTP/1.0  Size in
> Bytes: -  
>   Referer: -  
>   Agent: Mozilla/5.0 (Macintosh; QHA; PPC Mac OS X; en-US) AppleWebKit/778.0
> (KHTML, like Geco, Safari) OmniWeb/v456.03=C:  
> 
> Host: 83.242.79.70   /signUp.php?ref=1945777  
>   Http Code: 403  Date: Aug 27 17:44:37  Http Version: HTTP/1.0  Size in
> Bytes: -  
>   Referer: -  
>   Agent: Mozilla/5.0 (Macintosh; GFS; PPC Mac OS X; en-US) AppleWebKit/537.0
> (KHTML, like Geco, Safari) OmniWeb/v313.01rive=C:  
> 
> Host: 86.69.194.172   /signUp.php?ref=ec0lag  
>   Http Code: 403  Date: Aug 27 17:44:37  Http Version: HTTP/1.0  Size in
> Bytes: -  
>   Referer: -  
>   Agent: Mozilla/5.0 (Macintosh; ZCV; PPC Mac OS X; en-US) AppleWebKit/468.2
> (KHTML, like Geco, Safari) OmniWeb/v026.14stemDrive=\x81  
> 
> Host: 196.203.176.26   /signUp.php?ref=ec0lag  
>   Http Code: 403  Date: Aug 27 17:44:37  Http Version: HTTP/1.1  Size in
> Bytes: -  
>   Referer: -  
>   Agent: Mozilla/5.0 (Macintosh; BXT; PPC Mac OS X; en-US) AppleWebKit/840.3
> (KHTML, like Geco, Safari) OmniWeb/v767.50s  
> 
> Host: 201.41.241.190   /signUp.php?ref=1945777  
>   Http Code: 403  Date: Aug 27 17:44:37  Http Version: HTTP/1.0  Size in
> Bytes: -  
>   Referer: -  
>   Agent: Mozilla/5.0 (Macintosh; TYZ; PPC Mac OS X; en-US) AppleWebKit/742.0
> (KHTML, like Geco, Safari) OmniWeb/v715.65C:  
> 
> Host: 200.84.144.234   /signUp.php?ref=ec0lag  
>   Http Code: 403  Date: Aug 27 17:44:37  Http Version: HTTP/1.1  Size in
> Bytes: -  
>   Referer: -  
>   Agent: Mozilla/5.0  
> [/CODE]
> 
> We are currently blocking this user through our Apache.
> 
> .htaccess
> [CODE]
> RewriteEngine On 
> RewriteCond %{HTTP_USER_AGENT} ^Mozilla/5\.0\ \(Macintosh;\ (.+)\ PPC\ Mac\
> OS\ X;\ en-US\)\ AppleWebKit/(.+)\ \(KHTML,\ like\ Geco,\ Safari\)\
> OmniWeb/v([0-9]+).([0-9]+)(.+)$
> RewriteRule .* - [F]
> [/CODE]
> 
> That works fine and is giving the user a 403 (Forbidden), but the problem is
> that half of our Apache processes are from this user.
> 
> Is there a way to block his user agent before he gets to Apache? Sometimes
> this brings our server to a crash.
> 
> Thanks
> Andrew
> -- 
> View this message in context: http://www.nabble.com/Server-Attack-tf2174025.html#a6011508
> Sent from the linux-kernel forum at Nabble.com.
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/


-- 
Chris Largret <http://www.largret.com>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ