DOS Angriff
Posted: 2005-03-01 09:35
Wir haben seit drei Tagen das Problem offensichtlicher DOS Attacken gegen einen Server mit einem VB Forum. Die Angriffe kommen von sehr vielen unterschiedlichen IP's, deshalb können wir die nicht einfach so mit iptables aussperren. Auch über den UserAgent lässt sich nichts machen. Soweit ich das recherchiert habe könnte da auch ein anonymizer dahinterstecken. Mit den Agriffen Wird der Apache so geflooded das die Maschine den Out of Memory tod stirbt.
Jemand eine Idee?
Hier ein paar Auszüge aus dem access_log vor dem Absturz:
Jemand eine Idee?
Hier ein paar Auszüge aus dem access_log vor dem Absturz:
Code: Select all
200.31.23.195 - telefone [28/Feb/2005:22:30:37 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT5.0; NetCaptor )"
210.212.2.70 - mellow [28/Feb/2005:22:30:22 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows XP; DigiExt )"
210.212.2.70 - cum [28/Feb/2005:22:30:23 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT5.0; DigiExt )"
210.212.2.70 - gersh [28/Feb/2005:22:29:51 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows XP; ezn IE )"
200.13.229.178 - tttttttt99 [28/Feb/2005:22:29:27 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT5.0; ezn IE )"
200.13.229.178 - admin2 [28/Feb/2005:22:29:27 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; AOL 5.0; win9x/NT 4.90 )"
200.13.229.178 - foot [28/Feb/2005:22:29:39 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows 98; DigiExt )"
163.17.101.125 - maddog [28/Feb/2005:22:29:08 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; AOL 5.0; TWRAITH )"
200.31.23.195 - edyenko [28/Feb/2005:22:31:34 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de/login.php" "Mozilla/5.0 ( compatible; MSIE 5.01; AOL 5.0; Compaq )"
200.31.23.195 - samj [28/Feb/2005:22:31:13 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT4.0; Compaq )"
200.31.23.195 - nala [28/Feb/2005:22:30:25 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; AOL 5.0; DigiExt )"
196.41.10.174 - dwnahwy [28/Feb/2005:22:29:41 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows XP; Compaq )"
196.2.56.13 - fuzzle [28/Feb/2005:22:29:15 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT5.0; TWRAITH )"
196.41.10.174 - humara [28/Feb/2005:22:29:39 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT5.0; DigiExt )"
196.2.56.13 - ref141 [28/Feb/2005:22:29:15 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows 98; DigiExt )"
200.31.23.195 - sonny [28/Feb/2005:22:31:13 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows 98; DigiExt )"
202.124.224.15 - december [28/Feb/2005:22:31:46 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de/login.php" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows XP; MSNIA )"
200.254.125.190 - telefone [28/Feb/2005:22:30:16 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows XP; DigiExt )"
200.67.79.230 - dhayes [28/Feb/2005:22:32:47 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows XP; DigiExt )"
200.67.79.230 - annoy [28/Feb/2005:22:33:01 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT4.0; DigiExt )"
200.67.79.230 - gersh [28/Feb/2005:22:33:02 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.5; AOL 5.0; DigiExt )"
200.67.79.230 - devils [28/Feb/2005:22:33:07 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT4.0; DigiExt )"
200.67.79.230 - bissjop [28/Feb/2005:22:33:00 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows 98; DigiExt )"
213.168.120.161 - - [28/Feb/2005:22:34:13 +0100] "GET /ub_banner_klein.jpg HTTP/1.1" 200 14642 "http://www.vbulletin-germany.com/forum/showthread.php?t=15900" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
200.67.79.230 - cheo [28/Feb/2005:22:31:51 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows XP; DigiExt )"
210.212.2.70 - begood [28/Feb/2005:22:29:57 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows 98; Compaq )"
200.67.79.230 - c3po [28/Feb/2005:22:32:55 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows 98; MSNIA )"
210.212.2.70 - fargifiction [28/Feb/2005:22:29:58 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT4.0; athome0107 )"
200.67.79.230 - laney [28/Feb/2005:22:33:01 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows XP; DigiExt )"
210.212.2.70 - mmmmmmm [28/Feb/2005:22:29:56 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT4.0; DigiExt )"
200.67.79.230 - cum [28/Feb/2005:22:33:07 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows XP; DigiExt )"
200.67.79.230 - aidan [28/Feb/2005:22:33:58 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows 98; TWRAITH )"
200.67.79.230 - begood [28/Feb/2005:22:34:15 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows 98; win9x/NT 4.90 )"
200.67.79.230 - fargifiction [28/Feb/2005:22:34:16 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows XP; NetCaptor )"
202.175.234.162 - earth [28/Feb/2005:22:34:15 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows 98; NetCaptor )"
200.67.79.230 - mmmmmmm [28/Feb/2005:22:32:28 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; AOL 5.0; DigiExt )"
200.67.79.230 - nihao [28/Feb/2005:22:34:13 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT4.0; TWRAITH )"
210.212.2.70 - waters [28/Feb/2005:22:34:13 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.0; AOL 5.0; MSNIA )"
200.67.79.230 - sean [28/Feb/2005:22:33:02 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.0; AOL 5.0; athome0107 )"
200.67.79.230 - area69 [28/Feb/2005:22:33:52 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.0; AOL 5.0; athome020 )"
210.212.2.70 - aidan [28/Feb/2005:22:30:17 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows 98; DigiExt )"
200.58.160.148 - hhhh [28/Feb/2005:22:34:16 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.5; AOL 5.0; DigiExt )"
200.67.79.230 - dole2000 [28/Feb/2005:22:32:20 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT5.0; athome0107 )"
200.67.79.230 - bgrn [28/Feb/2005:22:32:28 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; AOL 5.0; DigiExt )"
200.67.79.230 - cgisucks [28/Feb/2005:22:34:15 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows 98; FREEI v2.53 )"
200.67.79.230 - sanford [28/Feb/2005:22:33:13 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT5.0; DigiExt )"
200.67.79.230 - roger [28/Feb/2005:22:32:43 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT4.0; athome0107 )"
200.67.79.230 - burnt [28/Feb/2005:22:34:59 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de/login.php" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows 98; DigiExt )"
200.67.79.230 - mellow [28/Feb/2005:22:32:31 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows 98; NetCaptor )"
200.67.79.230 - waters [28/Feb/2005:22:34:57 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT4.0; Compaq )"
200.67.79.230 - Dreamer [28/Feb/2005:22:32:30 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.5; AOL 5.0; NetCaptor )"
203.144.143.7 - garth [28/Feb/2005:22:35:05 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows XP; Compaq )"
210.212.2.70 - blackhawks [28/Feb/2005:22:30:04 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT4.0; DigiExt )"
210.212.2.70 - agentx [28/Feb/2005:22:30:24 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT4.0; TWRAITH )"
200.67.79.230 - ROCCO [28/Feb/2005:22:35:06 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows 98; DigiExt )"
200.67.79.230 - toshiaki [28/Feb/2005:22:33:06 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT4.0; athome020 )"
84.136.129.114 - - [28/Feb/2005:22:31:46 +0100] "GET /abi05/shh/dh.gif HTTP/1.1" 200 172660 "http://kwick.de/profil/Pages4web_net/gb" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de-DE; rv:1.7.5) Gecko/20041122 Firefox/1.0"
200.67.79.230 - 12345 [28/Feb/2005:22:35:06 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT5.0; FREEI v2.53 )"
203.144.143.7 - chump [28/Feb/2005:22:35:06 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; AOL 5.0; athome020 )"
200.67.79.230 - blackhawks [28/Feb/2005:22:35:06 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT4.0; DigiExt )"
200.67.79.230 - hidden [28/Feb/2005:22:31:58 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.5; AOL 5.0; Compaq )"