Odd HTTP requests. What's going on? Some kind of attack?

Zippy1970 · 09-12-2012, 06:20 PM

Starting a few weeks ago, I received daily munin warnings that my webserver's loadaverage was spiking. These spikes only lasted a few minutes so it took me a while to find out what was causing these spikes. It turned out that it was caused by a huge amount of weird HTTP requests.

When I looked at my log files, I saw a lot of strange traffic coming from a lot of different IP addresses. All requests were for existing pages, but with some added junk at the end of the URL. I suspect this is to counteract caching. Also, a lot of the requests weren't "GET" requests, but "HEAD" requests.

Here are a few example lines from my log:

Code:

209.19.175.122  [12/Sep/2012:22:12:17 +0200]    404     -       "HEAD /forum/Archives/20110502-6-072779.html%26sa%3DU%26ei%3Dyl0MUKTvN4XKqgGky-C2Cg%26ved%3D0COwBEBYwVDhk%26usg%3DAFQjCNF52_fmS7uUpUt791bGIffIX9B59Q
206.207.117.174 [12/Sep/2012:22:12:17 +0200]    404     -       "HEAD /forum/Archives/20110502-6-072779.html%26sa%3DU%26ei%3DNOj5T-mANIXeqAH17oWLCQ%26ved%3D0CNABEBYwUDhk%26usg%3DAFQjCNFTozPaV5r1Gfkf1wCUkcOW_BSsDg
207.70.9.104    [12/Sep/2012:22:12:17 +0200]    200     -       "HEAD /cgi-bin/showThread.cgi?forum=6&thread=089856&style=printable&sa=U&ei=jdmJT6vuH-by2QWlh-HICQ&ved=0CM4BEBYwUQ&usg=AFQjCNE0j0qOgoHYlbbUrmKVaevjSqV2MQ
209.19.138.104  [12/Sep/2012:22:12:17 +0200]    404     -       "HEAD /forum/089856.html%26sa%3DU%26ei%3DLXttT9aNI8XF8ggPIp8W_DQ%26ved%3D0CNYBEBYwSg%26usg%3DAFQjCNHcgQSB_KTB8-y1Tkw_wSfMWxT5nw
209.19.170.61   [12/Sep/2012:22:12:17 +0200]    200     -       "HEAD /cgi-bin/showThread.cgi?forum=6&thread=089856&style=printable&sa=U&ei=_hYHUKuxLYHVqgHerdDhCA&ved=0COkBEBYwVDhk&usg=AFQjCNG6uxe0rvwadZ-4spOZUywHMn4YJg
206.80.112.113  [12/Sep/2012:22:12:17 +0200]    200     -       "HEAD /cgi-bin/showThread.cgi?forum=6&thread=089856&style=printable&sa=U&ei=NOj5T-mANIXeqAH17oWLCQ&ved=0CM4BEBYwTzhk&usg=AFQjCNF-k6mfM1MTndg4EbcxETXlZwErUg
69.5.239.22     [12/Sep/2012:22:12:17 +0200]    200     -       "HEAD /cgi-bin/showThread.cgi?forum=6&thread=089856&style=printable&sa=U&ei=icB0T7iqDeagiQLu2fCLDw&ved=0CDoQFjAFOGQ&usg=AFQjCNGUnqJq-FnxKtoSUakajwDJ7SnNVw
209.19.189.22   [12/Sep/2012:22:12:17 +0200]    200     -       "HEAD /cgi-bin/showThread.cgi?forum=6&thread=089856&style=printable&sa=U&ei=-7NfT-OtHIGPigKq4sHUBA&ved=0CHUQFjAfOGQ&usg=AFQjCNFP2oOleOQbIe187vPGFgQQ1L5q2w
206.207.117.174 [12/Sep/2012:22:12:17 +0200]    404     -       "HEAD /forum/089856.html%26sa%3DU%26ei%3DfFItUN0E48KKAsn_gWg%26ved%3D0CLcCEBYwYA%26usg%3DAFQjCNEBvsBs2i-1q8PC-7xuvuLE_LY3nw
206.80.114.184  [12/Sep/2012:22:12:17 +0200]    200     -       "HEAD /cgi-bin/showThread.cgi?forum=6&thread=089856&style=printable&sa=U&ei=EmeUT7zRIMuq8APLwKDODA&ved=0CJsBEBYwNThk&usg=AFQjCNHxgwqDbkmVB--ChATmMAl72SeegQ
209.19.189.22   [12/Sep/2012:22:12:17 +0200]    404     -       "HEAD /forum/Archives/20110502-6-072779.html%26sa%3DU%26ei%3DZ1UQUKfkKumliQL2u4G4Aw%26ved%3D0CJYBEBYwMjhk%26usg%3DAFQjCNEy9LWcd9uvtRXqA8EEYtrJ1xjCuQ
207.70.25.57    [12/Sep/2012:22:12:17 +0200]    404     -       "HEAD /forum/Archives/20110502-6-072779.html%26sa%3DU%26ei%3DhWgIUMmNHoHPqAHK9YHMBA%26ved%3D0CPsBEBYwWjhk%26usg%3DAFQjCNGzRihTRvH4scd3-s53fhm-fSjBAw
207.70.9.104    [12/Sep/2012:22:12:17 +0200]    200     -       "HEAD /cgi-bin/showThread.cgi?forum=6&thread=089856&style=printable&sa=U&ei=hWgIUMmNHoHPqAHK9YHMBA&ved=0CPkBEBYwWThk&usg=AFQjCNFUOELb6JIkQPlpQnjci-KEpl1RAQ
209.19.177.22   [12/Sep/2012:22:12:17 +0200]    200     -       "HEAD /cgi-bin/showThread.cgi?forum=6&thread=089856&style=printable&sa=U&ei=TYiIT5mWLMHg2gXyvJnjCQ&ved=0CNUBEBYwVA&usg=AFQjCNEi0Z1TjPKm1rVwkI2ANwHcIwFyuw
206.80.118.118  [12/Sep/2012:22:12:17 +0200]    404     -       "HEAD /forum/Archives/20110502-6-072779.html%26sa%3DU%26ei%3DqMUFUOuVDYm5qQGA9JnSCA%26ved%3D0CM4BEBYwSjhk%26usg%3DAFQjCNF6A9qfSshFfgpcVDP73n4XjaeSFg
69.5.239.148    [12/Sep/2012:22:12:17 +0200]    404     -       "HEAD /forum/Archives/20110502-6-072779.html%26sa%3DU%26ei%3D_hYHUKuxLYHVqgHerdDhCA%26ved%3D0COsBEBYwVThk%26usg%3DAFQjCNHALPtmA8B7tw6aR_wZJ6cb1xRcmg
209.19.152.72   [12/Sep/2012:22:12:17 +0200]    200     -       "HEAD /cgi-bin/showThread.cgi?forum=6&thread=089856&style=printable&sa=U&ei=DHPnT6KfG4HW2AXRquzZCQ&ved=0CHUQFjAnOGQ&usg=AFQjCNG-vvn3KYW6MawT8T1KgJz6TOFGdg
206.207.116.60  [12/Sep/2012:22:12:17 +0200]    200     -       "HEAD /forum/Archives/20120111-6-076230.html
207.70.60.20    [12/Sep/2012:22:12:17 +0200]    404     -       "HEAD /forum/089856.html%26sa%3DU%26ei%3DDqL0T_eaG6rY2gWjw7y-Bg%26ved%3D0CHsQFjAoOGQ%26usg%3DAFQjCNGVKieaRQfCxOJV4IXKLZ6MPPhpJw
207.70.3.140    [12/Sep/2012:22:12:17 +0200]    200     -       "HEAD /cgi-bin/showThread.cgi?forum=6&thread=089856&style=printable&sa=U&ei=DHPnT6KfG4HW2AXRquzZCQ&ved=0CHUQFjAnOGQ&usg=AFQjCNG-vvn3KYW6MawT8T1KgJz6TOFGdg
209.19.179.22   [12/Sep/2012:22:12:17 +0200]    200     -       "HEAD /forum/094692.html
209.19.183.22   [12/Sep/2012:22:12:17 +0200]    200     -       "HEAD /cgi-bin/showThread.cgi?forum=6&thread=089856&style=printable&sa=U&ei=_LkJUIOWBMm4rQHL9JCmCg&ved=0CPEBEBYwVThk&usg=AFQjCNF8tIrNt6Vv7vVvgJ64sv0u5PEbfA

Everything in blue are legitimate URLs on my server. Everyting in red is added junk.

So what's going on here? Is this an attack? I see these kind of requests all day long, but only sporadic. But during about 5 minutes starting at 3pm, the shear number of requests almost croaks my webserver.

unSpawn · 09-12-2012, 09:28 PM

Interesting. Looking for "%26sa%3DU%26ei", "&sa=U&ei=" and "=AFQjCN" shows these "&sa=U&ei=.*&ved=.*&usg=" turn up everywhere from the SANS ISC diary and Jsunpack to Stackoverflow and even a Chillingeffects DMCA notice ;-p The only thread that talks about a reason says the posters' "Google Enhancer became incompatible" with Firefox" but without any proof or technical detail. For the IP addresses I could check I found they were not that different, basically two AS numbers they come from: AS 2899 (majority) and AS 30663. The first one is owned by "Solution Pro" and the related domain names spro.net and micron.net have been blacklisted in rfc-ignorant.org for more than or nearly 10 years now. If your software doesn't accept these parameters then this isn't a threat. If you want to sanitize requests and protect yourself I suggest you check out mod_security.

bdegoy · 10-21-2012, 07:19 AM

Hello Zippy1970,

I experienced the same situation for a few days on one of my sites.
I received tens of HEAD request like theese :

209.19.185.23 - - [21/Oct/2012:11:15:56 +0200] "HEAD /%26sa%3DU%26ei%3DbtasT6GAIeneiAL-3NWKBw%26ved%3D0CMsBEBYwSTisAg%26usg%3DAFQjCNEUAc25wk1u5AC7UMdvTIrLojFHkw HTTP/1.1" 404 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:8.0) Gecko/20100101 Firefox/8.0"
207.70.9.104 - - [21/Oct/2012:11:16:00 +0200] "HEAD /%26sa%3DU%26ei%3DejKNT9GaFMK08QPN8oDGCw%26ved%3D0CFsQFjAVOJAD%26usg%3DAFQjCNFeez31-fgCOIV9w4L8AjHcg7C0Hw HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040225 Firefox/0.8"
206.207.116.62 - - [21/Oct/2012:11:16:04 +0200] "GET /%26sa%3DU%26ei%3DejKNT9GaFMK08QPN8oDGCw%26ved%3D0CFsQFjAVOJAD%26usg%3DAFQjCNFeez31-fgCOIV9w4L8AjHcg7C0Hw HTTP/1.1" 404 - "-" "Java/1.6.0_20"
209.19.187.23 - - [21/Oct/2012:11:16:04 +0200] "GET /%26sa%3DU%26ei%3DbtasT6GAIeneiAL-3NWKBw%26ved%3D0CMsBEBYwSTisAg%26usg%3DAFQjCNEUAc25wk1u5AC7UMdvTIrLojFHkw HTTP/1.1" 404 - "-" "Java/1.6.0_20"
...

It seems that every httpd child process created turns to dead and that MaxClients is reached quickly.
The memory is getting full, and the swap increases up to max until the machine hangs.
When I react quickly, "killal -v httpd" command solves the problem, showing hundreds of dead httpd process.

This happens once a day, around 11:20 TU.

Did you find a remedy?

Thanks to unSpawn for the investigation.

Kindly yours, BD

Zippy1970 · 10-21-2012, 02:18 PM

Quote:

Originally Posted by bdegoy

Hello Zippy1970,

Did you find a remedy?

Unfortunately, the only thing I could do was filter out these requests in my cgi scripts. So the requests are still there but since the cgi scripts immediately exit when they encounter these requests, it no longer has an effect on server performance.

Best way of course is to simply block any traffic from those ip-ranges.

bdegoy · 10-21-2012, 04:54 PM

Hello Zippy1970,

Thanks for your answer.
I have written this in .htaccess :

RewriteEngine On
RewriteCond %{REQUEST_METHOD} HEAD
Rewriterule ^(.*)%26sa%3DU(.*)$ - [F,L]

I will see at 11.20 if it works!

NyteOwl · 10-21-2012, 06:02 PM

Next time you click a search result in Google watch the actual url sent. Goole have started adding all sorts of tracking crap to the end of the actual site url's in their search results links.

unSpawn · 10-21-2012, 06:29 PM

Quote:

Originally Posted by NyteOwl

Goole have started adding all sorts of tracking (..)

How would you explain these are HEAD requests then?

bdegoy · 10-22-2012, 12:56 AM

Quote:

Originally Posted by NyteOwl

Next time you click a search result in Google watch the actual url sent. Goole have started adding all sorts of tracking crap to the end of the actual site url's in their search results links.

Hello NyteOwwl,

This is not tracking generated by a click in Google search result : these are many HEAD requests (and some GET) coming from different IPs in a short time.

The interesting part of your answer is your suggesting of something like Google tracking. As far as I can understand Google tracking, it returns data to Google from the client's browser. In our case, I don't see how the server could act in this way.

It looks like a limited DDOS.

bdegoy · 10-23-2012, 12:44 AM

About the URL rewriting rule above. It has only blocked part of the odd requests.
Today's trial :

Rewriterule ^(.*)?&sa=U&ei(.*)?$ - [F,L]
Rewritecond %{QUERY_STRING} ^(.*)?&sa=U&ei(.*)?$
Rewriterule - [F,L]

bdegoy · 10-23-2012, 04:39 AM

The rules above don't work. Got my httpd down once more.

For instance the request :

69.5.239.23 - - [23/Oct/2012:11:14:45 +0200] "HEAD /index.php?option=com_fireboard&Itemid=55&func=view&catid=3&id=218&sa=U&ei=VWB9T4K8BcWz8QPQrunTDQ&ved =0CEQQFjAN&usg=AFQjCNEDV5Gxk7Psil-GKMJSM0YyYeFCww HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"

answered with 200 status.

I should have written :

Rewriterule .* - [F,L]

bdegoy · 10-24-2012, 02:28 AM

Quote:

Originally Posted by Zippy1970

So what's going on here? Is this an attack?

First of all : For me, the problem arises in a Joomla! 1.5 of 2009 with a Fireboard forum.

It may look like a DDOS since many queries are coming at once from different IPs inducing heavy load and even crashing the server.

When I clear the httpd process with "killall httpd":
- I see many "[warn] child process xxx still did not exit, sending a SIGTERM"
- each process close sending "PHP Fatal error: Call to undefined method \xf0\xdd\x95::\xf0\xdd\x95() in .../public_html/libraries/joomla/session/session.php on line 135" to error.log.

What I guess :
- the load and the crash are due to the httpd process not being able to exit and the creation of many new httpd process.
- the httpd process is not able to exit because of the Joomla! session object not being destructed.

It seems to me that it isn't an attack : the goal of the offender seems to fool Google with simulated clicks on search results (thank you NyteOwl). The targets of the HEADs requests are some posts in a Joomla! Fireboard forum. These post have for long been deleted, but I remember they were the usual spam containing long links of pills or watches sites.

Any comment?

unSpawn · 10-24-2012, 09:38 AM

Quote:

Originally Posted by bdegoy

Any comment?

0. For using Joomla 1.5 you're SOL in my book (http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=joomla) regardless of whatever else problems you have. You just don't have any valid compelling reasons to keep a unsupported, deprecated, vulnerable version alive.
1. There's a fundamental difference between regulating traffic at the network and application level. As a consequence some of the application level problems you have experienced could have been avoided completely.
2. Not following and responding to advice earlier in this thread means you re-invent the wheel over and over again.

In the preferred order:
- If your software doesn't accept these parameters then, stability sure, but it isn't a security threat.
- Until you prove otherwise blocking AS 2899 and AS 30663 prefixes (ipset) wards off that traffic.
- There are very simple iptables rules to limit the amount of new HTTP connections (examples: 0|1).
- Simply allow only the HTTP methods you need and no, you don't need the HTTP equivalent of "ping" requests.
- If you want to sanitize requests check out mod_security.

bdegoy · 10-24-2012, 10:17 AM

Hello UnSpawn,

0 : I agree, but not my choice;
1 and 2 : you are perfectly right.

I will follow your advice.
iptable and mod_security: Ok, I can do that.
ipset : could you explain what are these prefixes and how to configure ipset with it.

Thank you for the advices.

Noway2 · 10-24-2012, 10:50 AM

ipset is part of netfilter, which is the underlying component of IPTables, your system firewall. It is more suited towards action like blocking whole ranges of IPs.

See the following: http://ipset.netfilter.org/

Edit: I too disagree with the premise of running severely outdated systems. You have a responsibility to make sure that whomever is dictating this action understands and takes responsibility for the consequences.

bdegoy · 10-24-2012, 11:00 AM

Quote:

Originally Posted by Noway2

ipset is part of netfilter, which is the underlying component of IPTables, your system firewall. It is more suited towards action like blocking whole ranges of IPs.

I understand ipset, but not what are the AS 2899 and AS 30663 prefixes unSpawn mentioned.