attacker on same subnet?

LQ? · 10-17-2005, 07:45 PM

Should I be concerned if I get alot of hits from different IP to my webserver that seem to come from the same subnet as myself (i.e. the first half of the offender IP is the same as mine)? The server is just for my personal use, not enterprise and I don't have a registered domain. The 'attack' seems pretty trivial and I have already taken steps to minimize their damage, but is this caused by something misconfigured on my end or has someone else from my ISP been compromized or neither?

Capt_Caveman · 10-17-2005, 10:09 PM

Is the IP actually part of your network or is this just a similar IP from the same subnet of your ISP?

Second could you give us an example of the attack (like some packet captures using tcpdump or relevent log messages)?

LQ? · 10-17-2005, 11:04 PM

Yes, its a similar IP from the same subnet of my ISP.

I don't have a tcpdump, here are some relevant log entries

Code:

206.74.190.67 - - [14/Oct/2005:12:26:14 -0400] "GET / HTTP/1.0" 200 1154
206.74.190.67 - - [14/Oct/2005:12:29:09 -0400] "GET / HTTP/1.0" 200 1154
206.74.190.67 - - [14/Oct/2005:13:22:00 -0400] "GET / HTTP/1.0" 200 1154
206.74.88.101 - - [14/Oct/2005:13:58:59 -0400] "GET / HTTP/1.0" 200 1154
206.74.190.67 - - [14/Oct/2005:14:32:07 -0400] "GET / HTTP/1.0" 200 1154
206.74.190.67 - - [14/Oct/2005:14:48:00 -0400] "GET / HTTP/1.0" 200 1154
206.74.190.67 - - [14/Oct/2005:17:31:36 -0400] "GET / HTTP/1.0" 503 316
206.74.89.115 - - [15/Oct/2005:22:56:46 -0400] "GET / HTTP/1.0" 200 1154
206.74.190.197 - - [16/Oct/2005:11:58:18 -0400] "GET / HTTP/1.0" 200 1154
206.74.190.197 - - [16/Oct/2005:14:03:06 -0400] "GET / HTTP/1.0" 200 1154
206.74.88.41 - - [16/Oct/2005:15:50:34 -0400] "GET / HTTP/1.0" 200 1154
206.74.190.197 - - [16/Oct/2005:16:16:40 -0400] "GET / HTTP/1.0" 200 1154
206.74.190.197 - - [16/Oct/2005:17:13:39 -0400] "GET / HTTP/1.0" 200 1154
206.74.190.197 - - [16/Oct/2005:17:53:06 -0400] "GET / HTTP/1.0" 200 1154
206.74.190.197 - - [16/Oct/2005:17:53:54 -0400] "GET / HTTP/1.0" 503 316
206.74.91.212 - - [16/Oct/2005:23:54:48 -0400] "GET / HTTP/1.0" 200 1154
206.74.190.189 - - [16/Oct/2005:23:57:06 -0400] "GET / HTTP/1.0" 200 1154
206.74.190.189 - - [17/Oct/2005:06:45:45 -0400] "GET / HTTP/1.0" 200 1154
206.74.190.189 - - [17/Oct/2005:06:57:56 -0400] "GET / HTTP/1.0" 200 1154

It had been worse. The 503 messages are where the IP gets blocked. Trust me, there's nothing on my server that is that interesting...

Krugger · 10-18-2005, 02:54 PM

Depending on what your webserver is and how it is setup you may or may not be concerned.

There is quite a lot of stuff hitting random webservers nowadays. From the internet crawlers to an insane amount of worms as well as proxy hunters. However if that is all you have in your logs it doesn't look too bad as it is very low intensity and they are only normal GET requests. Usually bots use HEAD and viruses try using things that we don't have. It actually looks like someone is just snooping around and looking at you webpage with a wget or something or your front page doesn't have any pictures in it. He only gets the main html file which is a bit odd.

Krugger · 10-18-2005, 02:57 PM

I also find it a bit weird that your server answers with a 503 error sometimes.

LQ? · 10-18-2005, 03:34 PM

Quote:

Originally posted by Krugger
I also find it a bit weird that your server answers with a 503 error sometimes.

That is part of my defense. They get served a 503 and have their IP blocked.

Capt_Caveman · 10-18-2005, 08:46 PM

Quote:

Originally posted by LQ?
Yes, its a similar IP from the same subnet of my ISP.

I don't have a tcpdump, here are some relevant log entries

Code:

206.74.190.67 - - [14/Oct/2005:12:26:14 -0400] "GET / HTTP/1.0" 200 1154 <SNIP> 206.74.190.189 - - [17/Oct/2005:06:57:56 -0400] "GET / HTTP/1.0" 200 1154

I saw these appear about 1-2 months ago. I setup p0f to fingerprint some packets and they always seemed to come from unpatched Windows boxes. IIRC, I did a little bit of research and it turned about to be the latest MS virus/worm at that time. Don't remember specifically what it was unfortunately.

LQ? · 10-18-2005, 11:55 PM

OK. Thanks for the info. I think I'll just continue to block them if they get too abusive.