LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Mandriva
User Name
Password
Mandriva This Forum is for the discussion of Mandriva (Mandrake) Linux.

Notices

Reply
 
Search this Thread
Old 11-07-2004, 09:18 PM   #1
rknoesel
LQ Newbie
 
Registered: Jul 2004
Posts: 5

Rep: Reputation: 0
Help! (I'm getting flooded with http requests)


I have to idea whom to turn to for help anymore, I hope someone here reads this and can give me some advice. Here's the problem:

I've noticed in the last few days that my DSL connection has been getting severely bogged down. I quickly determined that I'm getting flooded with http requests from all over the place... check out the size of my access_log:

-rw------- 1 root root 243753443 Nov 5 14:41 access_log
-rw------- 1 root root 55772734 Nov 1 04:02 access_log.1
-rw------- 1 root root 2694673 Oct 1 01:01 access_log.2
-rw------- 1 root root 1057728 Sep 1 00:06 access_log.3
-rw------- 1 root root 1052680 Jul 31 22:35 access_log.4
-rw------- 1 root root 204491 Jun 30 23:52 access_log.5

Notice how in the first 5 days of november, it had already grown to 243 Megs! Also, the number of httpd2 processes running was maxed (150).

I'm running Mandrake 9.2, with Apache as the web server. Shoot... this forum won't let me post a snippet of the access_log, because I don't have 5 posts yet, and thanks to the spammers I can't post URLs. Hmmpf. Well, I posted a tiny example snippet below, with the URLs removed

I really hope that someone can help me out with this, I've had to block http requests from the net with my firewall so that I can use my connection.

Needless to say, I would greatly appreciate any advice!

Thanks!



217.255.160.80 - - [01/Nov/2004:04:11:43 -0800] "GET <some random URL here> HTTP/1.0" 302 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Wi
ndows 98)"
 
Old 11-08-2004, 05:28 AM   #2
opjose
Senior Member
 
Registered: Sep 2004
Location: Outlying D.C.
Distribution: Mandriva
Posts: 2,090

Rep: Reputation: 46
Welcome to the world of Viruses, DOS attacks and Worms.

Have you checked to see if the hits are coming from a special block of IP's?

If so you can block them via /etc/hosts.deny

You could also lower the number of simultaneous connections allowed.

You also may want to watch your traffic with iptraf to see if you are getting hit by a group of machines local to your network or ISP.

I've seen one infected server on an ISP's subnet do something very similiar to the above. This ISP (Comcast in our area) was hosting local web sites for business customers off their subnet instead of isolating the web servers.

It resulted an a flood condition which also took down their e-mail and DNS servers as well.
 
Old 11-08-2004, 06:36 AM   #3
equinox
Member
 
Registered: Dec 2003
Location: Johannesburg, South Africa
Posts: 846

Rep: Reputation: 30
you may also run the command "netstat" from a terminal to see current connections / ports / services, hope that helps.
 
Old 11-08-2004, 04:42 PM   #4
rknoesel
LQ Newbie
 
Registered: Jul 2004
Posts: 5

Original Poster
Rep: Reputation: 0
Thanks for the information, guys, I used both netstat and iptraf to determine that the traffic was coming from all over the place, there was no obvious pattern in the IPs.

But I found what the problem was: Turns out that my vanilla default installation of Mandrake 9.2 had apache enabled as a proxy server. I suspect that some script kiddies found my open http proxy and my IP was added to a list to be abused by spammers/redirecters/etc.

I ended up using thttpd instead of apache, since it seems a bit more efficient and robust. It also has proxy disabled by default. So now in my thttpd.log file, I see a lot of these messages:


201.6.20.24 - - [08/Nov/2004:14:35:58 -0800] "UNKNOWN /localhost HTTP/1.0" 400 0 "" ""
218.146.114.71 - - [08/Nov/2004:14:36:01 -0800] "UNKNOWN /localhost HTTP/0.9" 400 0 "" ""
82.197.199.204 - - [08/Nov/2004:14:36:02 -0800] "UNKNOWN /localhost HTTP/1.0" 400 0 "" ""
82.197.202.216 - - [08/Nov/2004:14:36:03 -0800] "UNKNOWN /localhost HTTP/1.0" 400 0 "" ""
64.182.1.198 - - [08/Nov/2004:14:36:07 -0800] "UNKNOWN /localhost HTTP/1.0" 400 0 "" ""
12.146.177.190 - - [08/Nov/2004:14:36:18 -0800] "UNKNOWN /localhost HTTP/1.0" 400 0 "" ""
217.225.231.198 - - [08/Nov/2004:14:36:21 -0800] "UNKNOWN /localhost HTTP/1.0" 400 0 "" ""


Which indicates to me that all these requests are being denied. Also, my pages are serving fine now, since things are under control again.

Anyway, I'm thinking/hoping that within the week these requests will disappear.

Thanks again,

RK
 
Old 11-08-2004, 06:43 PM   #5
opjose
Senior Member
 
Registered: Sep 2004
Location: Outlying D.C.
Distribution: Mandriva
Posts: 2,090

Rep: Reputation: 46
9.2 never installed a proxy by default!!!!

I deployed quite a number of 9.2 machines as servers and routers and this would have bit me in the face to no end.

You could have also merely uninstalled the proxy mod.

First find it by

rpm -qa | grep proxy

rpm -qa | grep mod

Run this and see what you have installed!

I'm not familiar with thttpd, but I would venture to say that the message you posted does not necessarily indicate a denial.

You may want to check if your machine is making OUTBOUND (new) connection attempts as an inbound one comes in.

If it does, you still haven't eliminated the problem.
 
Old 11-14-2004, 02:17 PM   #6
rknoesel
LQ Newbie
 
Registered: Jul 2004
Posts: 5

Original Poster
Rep: Reputation: 0
Hmmm... strange. I never touched any proxy settings, but when I looked at

/etc/httpd/conf.d/30_mod_proxy.conf

it contains:

<------------begin cut------------->

#
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#

ProxyRequests On

<------------end cut------------->


I hope you're right, that it's not on by default. Then again, this would mean that my system has been compromised at some point.

Anyway, I did a google search of my IP, and it came up with a bunch of anonymous proxy lists, some of which still had my IP on them (even though I shut it down a week ago).

Also, since I've shut it down, my traffic has steadily decreased:

12/Nov/2004 : 15371
11/Nov/2004 : 20056
10/Nov/2004 : 25740
09/Nov/2004 : 37073

I estimate that Nov 5th, when I first saw a problem, I was serving well over 100,000 pages.

Thanks again for helping,

R
 
Old 11-14-2004, 05:57 PM   #7
opjose
Senior Member
 
Registered: Sep 2004
Location: Outlying D.C.
Distribution: Mandriva
Posts: 2,090

Rep: Reputation: 46
No problem.

Remember though that the proxy may have been automatically installed as part of another package requirement.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't get my http server to respond to requests... garydamm Linux - Networking 9 01-16-2005 10:00 AM
Network Flooded With ARP requests aronnok Linux - Security 3 12-25-2004 04:54 PM
capture http requests at squid ssharma_02 Linux - Networking 1 09-26-2004 09:04 AM
Program to capture all Http requests in a Network leninkoduru Linux - Security 4 02-02-2004 02:00 AM
log full, raw http requests chr15t0 Linux - General 0 01-03-2003 04:35 PM


All times are GMT -5. The time now is 11:45 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration