LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Mandriva (https://www.linuxquestions.org/questions/mandriva-30/)
-   -   Help! (I'm getting flooded with http requests) (https://www.linuxquestions.org/questions/mandriva-30/help-im-getting-flooded-with-http-requests-252258/)

rknoesel 11-07-2004 09:18 PM

Help! (I'm getting flooded with http requests)
 
I have to idea whom to turn to for help anymore, I hope someone here reads this and can give me some advice. Here's the problem:

I've noticed in the last few days that my DSL connection has been getting severely bogged down. I quickly determined that I'm getting flooded with http requests from all over the place... check out the size of my access_log:

-rw------- 1 root root 243753443 Nov 5 14:41 access_log
-rw------- 1 root root 55772734 Nov 1 04:02 access_log.1
-rw------- 1 root root 2694673 Oct 1 01:01 access_log.2
-rw------- 1 root root 1057728 Sep 1 00:06 access_log.3
-rw------- 1 root root 1052680 Jul 31 22:35 access_log.4
-rw------- 1 root root 204491 Jun 30 23:52 access_log.5

Notice how in the first 5 days of november, it had already grown to 243 Megs! Also, the number of httpd2 processes running was maxed (150).

I'm running Mandrake 9.2, with Apache as the web server. Shoot... this forum won't let me post a snippet of the access_log, because I don't have 5 posts yet, and thanks to the spammers I can't post URLs. Hmmpf. Well, I posted a tiny example snippet below, with the URLs removed

I really hope that someone can help me out with this, I've had to block http requests from the net with my firewall so that I can use my connection.

Needless to say, I would greatly appreciate any advice!

Thanks!



217.255.160.80 - - [01/Nov/2004:04:11:43 -0800] "GET <some random URL here> HTTP/1.0" 302 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Wi
ndows 98)"

opjose 11-08-2004 05:28 AM

Welcome to the world of Viruses, DOS attacks and Worms.

Have you checked to see if the hits are coming from a special block of IP's?

If so you can block them via /etc/hosts.deny

You could also lower the number of simultaneous connections allowed.

You also may want to watch your traffic with iptraf to see if you are getting hit by a group of machines local to your network or ISP.

I've seen one infected server on an ISP's subnet do something very similiar to the above. This ISP (Comcast in our area) was hosting local web sites for business customers off their subnet instead of isolating the web servers.

It resulted an a flood condition which also took down their e-mail and DNS servers as well.

equinox 11-08-2004 06:36 AM

you may also run the command "netstat" from a terminal to see current connections / ports / services, hope that helps.

rknoesel 11-08-2004 04:42 PM

Thanks for the information, guys, I used both netstat and iptraf to determine that the traffic was coming from all over the place, there was no obvious pattern in the IPs.

But I found what the problem was: Turns out that my vanilla default installation of Mandrake 9.2 had apache enabled as a proxy server. I suspect that some script kiddies found my open http proxy and my IP was added to a list to be abused by spammers/redirecters/etc.

I ended up using thttpd instead of apache, since it seems a bit more efficient and robust. It also has proxy disabled by default. So now in my thttpd.log file, I see a lot of these messages:


201.6.20.24 - - [08/Nov/2004:14:35:58 -0800] "UNKNOWN /localhost HTTP/1.0" 400 0 "" ""
218.146.114.71 - - [08/Nov/2004:14:36:01 -0800] "UNKNOWN /localhost HTTP/0.9" 400 0 "" ""
82.197.199.204 - - [08/Nov/2004:14:36:02 -0800] "UNKNOWN /localhost HTTP/1.0" 400 0 "" ""
82.197.202.216 - - [08/Nov/2004:14:36:03 -0800] "UNKNOWN /localhost HTTP/1.0" 400 0 "" ""
64.182.1.198 - - [08/Nov/2004:14:36:07 -0800] "UNKNOWN /localhost HTTP/1.0" 400 0 "" ""
12.146.177.190 - - [08/Nov/2004:14:36:18 -0800] "UNKNOWN /localhost HTTP/1.0" 400 0 "" ""
217.225.231.198 - - [08/Nov/2004:14:36:21 -0800] "UNKNOWN /localhost HTTP/1.0" 400 0 "" ""


Which indicates to me that all these requests are being denied. Also, my pages are serving fine now, since things are under control again.

Anyway, I'm thinking/hoping that within the week these requests will disappear.

Thanks again,

RK

opjose 11-08-2004 06:43 PM

9.2 never installed a proxy by default!!!!

I deployed quite a number of 9.2 machines as servers and routers and this would have bit me in the face to no end.

You could have also merely uninstalled the proxy mod.

First find it by

rpm -qa | grep proxy

rpm -qa | grep mod

Run this and see what you have installed!

I'm not familiar with thttpd, but I would venture to say that the message you posted does not necessarily indicate a denial.

You may want to check if your machine is making OUTBOUND (new) connection attempts as an inbound one comes in.

If it does, you still haven't eliminated the problem.

rknoesel 11-14-2004 02:17 PM

Hmmm... strange. I never touched any proxy settings, but when I looked at

/etc/httpd/conf.d/30_mod_proxy.conf

it contains:

<------------begin cut------------->

#
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#

ProxyRequests On

<------------end cut------------->


I hope you're right, that it's not on by default. Then again, this would mean that my system has been compromised at some point. :(

Anyway, I did a google search of my IP, and it came up with a bunch of anonymous proxy lists, some of which still had my IP on them (even though I shut it down a week ago).

Also, since I've shut it down, my traffic has steadily decreased:

12/Nov/2004 : 15371
11/Nov/2004 : 20056
10/Nov/2004 : 25740
09/Nov/2004 : 37073

I estimate that Nov 5th, when I first saw a problem, I was serving well over 100,000 pages.

Thanks again for helping,

R

opjose 11-14-2004 05:57 PM

No problem.

Remember though that the proxy may have been automatically installed as part of another package requirement.


All times are GMT -5. The time now is 01:36 PM.