myriads of access to unknown pages on my server bring my serverdown (DOS?)

myriads of access to unknown pages on my server bring my serverdown (DOS?)

am 10.03.2010 14:34:28 von pilsl

My apache was slowing down big time today morning and when I looked at the logs I realized that I've approx 10 page-requests per second from various ip's to pages that are not hosted on my server.

example:

buzzurl.jp 204.45.41.82 - - [10/Mar/2010:14:49:34 +0100] "GET http://buzzurl.jp/tag/firefox%20add-ons/200902 HTTP/1.1" 200 19620 "-" "Mozilla/4.0 (compatible
; MSIE 6.0; Windows NT 5.1; SV1)"


the requested page and the source-IP are new in every line.

I know this "ghosts" from earlier logs and never knew why they were in my logs but I never thought about it, cause they were infrequently. But now I'm really overrun by these request.

So I wonder: whats going on here? Is this a targeted attack? where are these requests coming from?

buzzurl.jp (from the above example) does not resolve to my host-ip, but thats not the issue cause the name is in the request-header. What worries me more is that my apache didnt give back a 404 like it should but a 200 !!??

How can that be? I dont have a default-page running and when I reconfigure my client here so that buzzurl.jp points to my server and request buzzurl.jp then I get a 404.

So again: whats going on here? Why does my apache give my precious time to stupid request? does the request trick my apache?

As you can imagine I'm bit in a stress here, cause my "real" webpages are getting incredible slow and the requests dont stop and I dont know how I can block them.

Any idea or experience with this?

thnx
peter

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: myriads of access to unknown pages on my server

am 10.03.2010 15:09:09 von Philip Wigg

On 10 March 2010 13:34, peter pilsl wrote:
>
> My apache was slowing down big time today morning and when I looked at th=
e logs I realized that I've approx 10 page-requests per second from various=
ip's to pages that are not hosted on my server.
>
> example:
>
> buzzurl.jp 204.45.41.82 - - [10/Mar/2010:14:49:34 +0100] "GET http://buzz=
url.jp/tag/firefox%20add-ons/200902 HTTP/1.1" 200 19620 "-" "Mozilla/4.0 (c=
ompatible
> ; MSIE 6.0; Windows NT 5.1; SV1)"
>
>
> the requested page and the source-IP are new in every line.
>
> I know this "ghosts" from earlier logs and never knew why they were in my=
logs but I never thought about it, cause they were infrequently. But now I=
'm really overrun by these request.
>
> So I wonder: whats going on here? =A0Is this a targeted attack? where are=
these requests coming from?
>
> buzzurl.jp (from the above example) does not resolve to my host-ip, but t=
hats not the issue cause the name is in the request-header. What worries me=
more is that my apache didnt give back a 404 like it should but a 200 !!??
>
> How can that be? =A0I dont have a default-page running and when I reconfi=
gure my client here so that buzzurl.jp points to my server and request buzz=
url.jp then I get a 404.
>
> So again: whats going on here? Why does my apache give my precious time t=
o stupid request? does the request trick my apache?
>
> As you can imagine I'm bit in a stress here, cause my "real" webpages are=
getting incredible slow and the requests dont stop and I dont know how I c=
an block them.
>
> Any idea or experience with this?
>

You might be accidentally running Apache as a forward proxy. Do you
have 'ProxyRequests On' in your configuration?

--Phil

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: myriads of access to unknown pages on my server

am 10.03.2010 15:09:50 von Tom Evans

On Wed, Mar 10, 2010 at 1:34 PM, peter pilsl wrote:
>
> My apache was slowing down big time today morning and when I looked at th=
e logs I realized that I've approx 10 page-requests per second from various=
ip's to pages that are not hosted on my server.
>
> example:
>
> buzzurl.jp 204.45.41.82 - - [10/Mar/2010:14:49:34 +0100] "GET http://buzz=
url.jp/tag/firefox%20add-ons/200902 HTTP/1.1" 200 19620 "-" "Mozilla/4.0 (c=
ompatible
> ; MSIE 6.0; Windows NT 5.1; SV1)"
>
>
> the requested page and the source-IP are new in every line.
>
> I know this "ghosts" from earlier logs and never knew why they were in my=
logs but I never thought about it, cause they were infrequently. But now I=
'm really overrun by these request.
>
> So I wonder: whats going on here?  Is this a targeted attack? where =
are these requests coming from?
>
> buzzurl.jp (from the above example) does not resolve to my host-ip, but t=
hats not the issue cause the name is in the request-header. What worries me=
more is that my apache didnt give back a 404 like it should but a 200 !!??
>
> How can that be?  I dont have a default-page running and when I reco=
nfigure my client here so that buzzurl.jp points to my server and request b=
uzzurl.jp then I get a 404.
>
> So again: whats going on here? Why does my apache give my precious time t=
o stupid request? does the request trick my apache?
>
> As you can imagine I'm bit in a stress here, cause my "real" webpages are=
getting incredible slow and the requests dont stop and I dont know how I c=
an block them.
>
> Any idea or experience with this?
>
> thnx
> peter
>

Have you configured your apache as an unsecured forward proxy?

Cheers

Tom

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org