Server Attacked at Random

My server has been under attack for three days by a user in Colorado who requested the same URL 8.3 million times (and counting).

The user, making simultaneous connections from eight IP addresses in a block controlled by Time Warner Telecom, requested a URL on URouLette that redirects to a random web site -- as many as 30 requests a second to a PHP script that made a MySQL database connection. I'm guessing the motive was to acquire web addresses for e-mail harvesting or some other form of net abuse.

By yesterday morning, the requests were crashing everything on the server that could be crashed. It's a sign of how well Linux, Apache, MySQL, and PHP work that it took so long to bring down the box.

After sending an e-mail to the ISP's abuse address, I tried to solve the problem by adding an Apache configuration deny from directive that blocked the user's access to the site:


Order allow,deny
Deny from 66.195.191
Allow from all

After rebooting Apache, the abuser's requests were rejected with HTTP status code 403 Forbidden.

This worked briefly, prevented MySQL from running out of connections, but after a few hours Apache began freezing up and would serve no requests.

I wasn't able to fix this until I started the iptables service firewall on my server and told it to completely block the offending IPs with commands like this:

/sbin/iptables -I INPUT -s 192.0.34.166 -j DROP

This appears to have worked.

After 24 hours, I'm still waiting to hear from a human at Time Warner Telecom's abuse desk. My own hosting provider, ServerMatrix, has been fast to respond but doesn't seem inclined to contact the other company. I was hoping they could talk admino a admino.

Idiotically enough, the data that the user expended 100GB of my bandwidth trying to get is freely available on the web. URouLette makes use of Open Directory Project data, sending visitors to random sites that its editors have marked as "cool."

Security · Publishing · Php · Mysql · Linux · 2005/04/06 · 3 COMMENTS · Link

Comments

Sounds like the wanker has a lot of time on his hands.

#1 · James · 2005/04/06

It doesn't take a lot of time to crash other people servers if you've got a new copy of 'PHP For Dummies' and no programming sense. I'd lean more towards stupidity than any grand time-intensive Plan.

#2 · Derek Dahlsad · 2005/04/07

8.3 million?

Sounds like a real "DOS" attack.

Get it?

Sorry...

#3 · Joe · 2005/04/08

Add a Comment

All comments are moderated before publication. These HTML tags are permitted: <p>, <b>, <i>, <a>, and <blockquote>. This site is protected by reCAPTCHA (for which the Google Privacy Policy and Terms of Service apply).

Microsoft Bob icon

Rogers Cadenhead

Social Media

Mastodon

Mastodon

Subscriptions

Workbench RSS feed RSS Feed

Blogroll

Projects

Statistics

Line drawing of cowboy on horse

This blog has been published since Nov. 7, 1999 (a span of 8,937 days).

Thank you for visiting Workbench.

Drawing of an owl with glasses reading a book