DOS Angriff [Archiv] - vBulletin Germany Support Forum

Powie

01.03.2005, 10:05

Auf einen von mir teilweise betreutem Server läuft ein VB Forum (ja es ist lizensiert), dieses wird seit drei tagen Abends von einer DOS Attacke angegfriffen, was den Server so unter Last setzt das er kurz drauf den OutOfMemory Tod stirbt. Die Angriffe scheinen direkt auf das VB spezialisiert zu sein. Leider lässt sich mit den IPs oder dem Useragent nichts anfangen, bzw. per iptables nichts aussperren.
Kurz vor dem Tod der Maschine treten tausende solcher access_log Einträge

219.223.112.1 - diamonds [28/Feb/2005:22:27:59 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT5.0; DigiExt )"
210.212.204.34 - roger [28/Feb/2005:22:28:11 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows XP; ezn IE )"
210.212.204.34 - Jay18 [28/Feb/2005:22:28:13 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.5; AOL 5.0; NetCaptor )"
210.212.204.34 - nihao [28/Feb/2005:22:28:11 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT5.0; FREEI v2.53 )"
210.212.204.34 - Dreamer [28/Feb/2005:22:28:14 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT4.0; DigiExt )"
220.135.120.65 - dwnahwy [28/Feb/2005:22:27:53 +0100] "HEAD /login.php HTTP/1.1" 302 - "http://www.united-forum.de/login.php" "Mozilla/5.0 ( compatible; MSIE 5.5; AOL 5.0; ezn IE )"
210.212.204.34 - bgrn [28/Feb/2005:22:28:13 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.5; AOL 5.0; TWRAITH )"
210.212.2.70 - feldspar [28/Feb/2005:22:28:15 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows 98; win9x/NT 4.90 )"
210.212.2.70 - nihao [28/Feb/2005:22:28:11 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows XP; MSNIA )"
210.212.2.70 - Dreamer [28/Feb/2005:22:28:11 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows XP; athome020 )"
210.212.2.70 - bgrn [28/Feb/2005:22:28:09 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; AOL 5.0; NetCaptor )"
210.212.204.34 - begood [28/Feb/2005:22:28:15 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows XP; DigiExt )"
210.212.2.70 - devils [28/Feb/2005:22:28:07 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows 98; NetCaptor )"
219.223.112.1 - snowwolf [28/Feb/2005:22:27:56 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows 98; athome0107 )"
219.223.112.1 - nimh [28/Feb/2005:22:27:59 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows 98; DigiExt )"
210.212.2.70 - roger [28/Feb/2005:22:28:09 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT4.0; MSNIA )"
219.223.112.1 - khutter [28/Feb/2005:22:27:58 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows XP; DigiExt )"
212.6.123.203 - - [28/Feb/2005:22:27:55 +0100] "GET /archive/index.php/t-34260.html HTTP/1.1" 200 5651 "http://www.google.de/search?q=plural+gramatik&sourceid=mozilla-search&start=0&start=0&ie=utf-8&oe=utf-8&meta=lr%3Dlang_de" "Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.7) Gecko/20040803 Firefox/0.9.3"
219.223.112.1 - hocus [28/Feb/2005:22:27:55 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.5; AOL 5.0; athome0107 )"
219.223.112.1 - tull [28/Feb/2005:22:28:00 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT4.0; DigiExt )"
219.223.112.1 - blackhawks [28/Feb/2005:22:27:58 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT4.0; DigiExt )"
210.212.204.34 - blackhawks [28/Feb/2005:22:28:04 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT4.0; DigiExt )"
210.212.204.34 - sean [28/Feb/2005:22:28:04 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.5; AOL 5.0; DigiExt )"
210.212.2.70 - area69 [28/Feb/2005:22:28:20 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows 98; FREEI v2.53 )"
210.212.204.34 - fargifiction [28/Feb/2005:22:28:02 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.5; AOL 5.0; FREEI v2.53 )"
217.83.174.18 - - [28/Feb/2005:22:28:13 +0100] "POST /arcade.php HTTP/1.1" 200 146 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
210.212.2.70 - bissjop [28/Feb/2005:22:28:15 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT4.0; ezn IE )"
210.212.204.34 - annoy [28/Feb/2005:22:28:17 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT5.0; MSNIA )"
210.212.204.34 - waters [28/Feb/2005:22:28:17 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; AOL 5.0; FREEI v2.53 )"
80.142.73.135 - - [28/Feb/2005:22:29:12 +0100] "GET /images/banner/uf_banner.jpg HTTP/1.1" 200 20197 "http://82.96.83.82/showthread.php?p=1198679&posted=1#post1198679" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
84.191.157.225 - - [28/Feb/2005:22:29:14 +0100] "GET /images/banner/uf_banner.jpg HTTP/1.1" 200 20197 "http://www.cncforen.de/showthread.php?p=1198480#post1198480" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
217.233.26.22 - - [28/Feb/2005:22:29:20 +0100] "GET /images/styles/standard/misc/topvb3.jpg HTTP/1.1" 304 - "http://www.united-forum.de/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de-DE; rv:1.7.5) Gecko/20041122 Firefox/1.0"
212.124.165.6 - - [28/Feb/2005:22:29:21 +0100] "GET /customavatars/avatar4929_0.gif HTTP/1.1" 304 - "http://dow.sanctuary-network.com/index.php?showtopic=3767" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
217.233.26.22 - - [28/Feb/2005:22:29:21 +0100] "GET /script/ad/ub_button.gif HTTP/1.1" 304 - "http://www.united-forum.de/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de-DE; rv:1.7.5) Gecko/20041122 Firefox/1.0"
80.108.93.50 - - [28/Feb/2005:22:28:02 +0100] "GET /showthread.php?t=35035 HTTP/1.1" 200 9863 "http://www.google.at/search?hl=de&q=schlacht+um+mittelerde+build-order&btnG=Suche&meta=" "Opera/7.54 (Windows NT 5.1; U) [en]"
80.142.73.135 - - [28/Feb/2005:22:30:09 +0100] "GET /images/banner/uf_banner.jpg HTTP/1.1" 200 20197 "http://82.96.83.82/showthread.php?p=1198679#post1198679" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
62.158.65.55 - - [28/Feb/2005:22:30:18 +0100] "GET /images/banner/uf_banner2.jpg HTTP/1.1" 304 - "http://desolate.de.ohost.de/include.php?path=start.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.13.229.178 - force [28/Feb/2005:22:29:26 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows XP; NetCaptor )"
200.13.229.178 - jeffery [28/Feb/2005:22:29:33 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT4.0; Compaq )"
200.13.229.178 - garth [28/Feb/2005:22:29:39 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows 98; TWRAITH )"
200.13.229.178 - chuck001 [28/Feb/2005:22:29:32 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT5.0; DigiExt )"
200.13.229.178 - chump [28/Feb/2005:22:29:38 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de/login.php" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT4.0; athome020 )"
200.13.229.178 - adolphus [28/Feb/2005:22:29:26 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows 98; DigiExt )"
200.30.79.126 - dick [28/Feb/2005:22:29:51 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows NT5.0; win9x/NT 4.90 )"
210.201.238.125 - sonny [28/Feb/2005:22:29:12 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows 98; athome020 )"
210.212.2.70 - dhayes [28/Feb/2005:22:29:45 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; AOL 5.0; Compaq )"
200.30.79.126 - G56ccW [28/Feb/2005:22:29:51 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.0; AOL 5.0; DigiExt )"
210.212.2.70 - sean [28/Feb/2005:22:29:45 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.5; AOL 5.0; DigiExt )"
62.158.75.143 - - [28/Feb/2005:22:31:35 +0100] "GET /images/banner/uf_banner2.jpg HTTP/1.1" 304 - "http://desolate.de.ohost.de/include.php?path=start.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
68.142.249.43 - - [28/Feb/2005:22:31:48 +0100] "GET /script/team_d.php?id=413 HTTP/1.0" 302 330 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"
200.13.229.178 - nameuser [28/Feb/2005:22:29:33 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows 98; DigiExt )"
200.31.23.195 - jackpot [28/Feb/2005:22:30:50 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.0; AOL 5.0; DigiExt )"
200.31.23.195 - maddog [28/Feb/2005:22:31:13 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.5; Windows NT4.0; DigiExt )"
200.31.23.195 - worker [28/Feb/2005:22:31:13 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT5.0; DigiExt )"
200.31.23.195 - telefone [28/Feb/2005:22:30:37 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.01; Windows NT5.0; NetCaptor )"
210.212.2.70 - mellow [28/Feb/2005:22:30:22 +0100] "HEAD /login.php HTTP/1.0" 302 - "http://www.united-forum.de:80" "Mozilla/5.0 ( compatible; MSIE 5.0; Windows XP; DigiExt )"

Tomek

01.03.2005, 11:13

Du solltest als erstes die DNS-Lookups in der Apache-Konfiguration deaktivieren, falls noch nicht geschehen. Was das bedeutet und wie es deaktivieren kannst, wird hier erklärt: http://httpd.apache.org/docs-2.0/de/mod/core.html#hostnamelookups

Gegen einen DoS-Angriff kannst du dich prinzipiell nicht wehren. Es gibt Möglichkeiten/Ansatzpunkte die Folgen zu verringern, ist aber nicht die Lösung. Du solltest deinen Provider informieren und ihm zum handeln zu bewegen.

Tomek

01.03.2005, 12:07

Du könntest als schnelles Workaround das Modul mod_dosevasive für Apache installieren: http://www.nuclearelephant.com/projects/dosevasive/

Powie

01.03.2005, 12:53

Du könntest als schnelles Workaround das Modul mod_dosevasive für Apache installieren: http://www.nuclearelephant.com/projects/dosevasive/

hört sich gut an, das haben wir mal installiert, mal sehen was passiert !

RCN-Siggi

01.03.2005, 17:11

hört sich gut an, das haben wir mal installiert, mal sehen was passiert !
Die Info wäre auch für uns ganz interessant! :)

In letzter Zeit wachsen unsere Logfiles auffällig überproportional. Die Userzahlen glücklicherweise auch, aber der Anstieg der Größe der Logfiles steht nicht so ganz im Verhältnis dazu. Die Server-Performance und Zugriffszeiten sind prima, aber etwas Wachsamkeit scheint mir in diesem Punkt doch angebracht...
Siggi

Powie

01.03.2005, 18:52

das Modul hat bereits zweimal angeschlagen, und im LOG File waren diese Sachen wirklich nicht koscher. Scheint brauchbar zu sein.

Tomek

01.03.2005, 20:57

Wie hast du das Modul denn konfiguriert?

Powie

02.03.2005, 00:37

LoadModule dosevasive20_module /usr/lib/apache2/mod_dosevasive20.so

<IfModule mod_dosevasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 60
DOSEmailNotify dos@******
DOSLogDir "/var/lock/mod_dosevasive"
</IfModule>

taeb.de

29.12.2007, 22:16

tut es seinen dienst noch? ;)

Pathor

29.12.2007, 22:36

Letzte Aktivität: 02.03.2005 00:38
Glaube nicht, dass er dir antworten wird. ;)