Bandwidth DDOS Attack
Posted by ~Ray @ 2007-12-09 13:29:57
The log files looked normal with visits up so I wrote it off a paranoia. But by Monday I knew something was up. The bandwidth for the day was five times that of Sunday with only a 10% change magnitude in other visitors and page views.
A heavy analyse of log files showed lots of traffic with variations of the following User-Agents: “Java/1.6.0_03″,”Java/1.6.0_02″,”Java/1.5.0_06″,”Java/1.5.0_02″,”Java/1.5.0_07″. And about 30 other variations of these.
Searching through forums and blogs turned up nothing but information on e-mail harvesters but all of the hits I was seeing were for the same small set of images and coming from an unbelievable amount of IP addresses all of them hitting on a decrease but regular basis.
I tried to sight a pattern to these IPs but they were global and non that I tested were another webserver leading me to believe a large assort of zombie PC’s are loaded with DDOS software and a controller somewhere had sent them a list of images to transfer. None of the IPs showed up as ever visiting anywhere else on the site only the small set of images.
So then I began to look for a way to stop them. Because the IP’s were to varied to firewall that was not an option. While the user agent was varied it was quite possible to block them with 2 additional lines to my Rewrite rules
Another option would undergo been using the SetEnvIfNoCase User-Agent ^$ bad_bot way but the Rewrite way worked.
Now about 8 hours later the hit count continues at about the same evaluate but they are just receiving a 403 Forbidden instead of a 100k visualise on each request.
[…] On Monday November 5th I realized we were undergoing a Denial of function contend aimed at draining bandwidth. I believe it started rather weak in October but I began to notice the Kilobytes of traffic had grown far higher then it should based on other traffic statistics. See: Day 1 Analyzing and adjusting on day two: Day Two […]
Matt et al: Great job. Matt ! Been expecting something like this ever since we began to beheavily “invaded” by some whose Comments indicated very deepand disturbing animus vs open dialog to which they couldfind no presentable responses. Not being as sensitive to this as your high skills havemade you via force of necessity reaction was confined toComment or notes to Tim with some few indicators feltfrom previous sometimes painful similar encounters simplyvia printed-page experience…desire but great story from dayswith Loeb on DAILY NEWS in Burlington coming later. This to express personal/professional appreciation foryr ongoing great bring home the bacon and here special skilled sensitivity“making all the difference”. AND To recommend and endorse Tim’s ongoing and very difficultefforts to keep Comment-standard “alter dry and respectable”,either personal attack or diaper-reference yrfriendhankatlma[ADVERTHERE]Related article:
http://designs.salem-news.com/2007/11/07/bandwidth-ddos-attack/
0 Comments:
No comments have been posted yet!
|
