• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

DOS attack & high load

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security

View previous topic :: View next topic  
Author Message
gianniolo
Just Arrived
Just Arrived


Joined: 16 Jun 2007
Posts: 0


Offline

PostPosted: Sat Jun 16, 2007 3:18 pm    Post subject: DOS attack & high load Reply with quote

Hi everyone,

I've a LAMP webserver, with Apache 1.3 and PHP 4, MySQL 4 and Red Hat Enterprise 4 Update 5.
Assuming the website is www.example.com.

I receive about 20.000 unique users/day. Normally I have about 100 concurrent users and HTTP requests are like:


10.10.10.10 - - [16/Jun/2007:14:26:55 +0200] "GET / HTTP/1.1" 200 48711 "-" "Mozilla/5.0 (X11; U; Linux i686; it; rv:1.8.1.4) Gecko/20060601 Firefox/2.0.0.4 (Ubuntu-edgy)"
10.10.10.10 - - [16/Jun/2007:14:26:55 +0200] "GET /stylesheet.css HTTP/1.1" 200 8409 "http://www.example.com/" "Mozilla/5.0 (X11; U; Linux i686; it; rv:1.8.1.4) Gecko/20060601 Firefox/2.0.0.4 (Ubuntu-edgy)"
10.10.10.10 - - [16/Jun/2007:14:26:56 +0200] "GET /style2.css HTTP/1.1" 200 1026 "http://www.example.com/" "Mozilla/5.0 (X11; U; Linux i686; it; rv:1.8.1.4) Gecko/20060601 Firefox/2.0.0.4 (Ubuntu-edgy)"
10.10.10.10 - - [16/Jun/2007:14:26:56 +0200] "GET /style3.css HTTP/1.1" 200 513 "http://www.example.com/" "Mozilla/5.0 (X11; U; Linux i686; it; rv:1.8.1.4) Gecko/20060601 Firefox/2.0.0.4 (Ubuntu-edgy)"
10.10.10.10 - - [16/Jun/2007:14:26:56 +0200] "GET /images/logo2.gif HTTP/1.1" 200 4434 "http://www.example.com/" "Mozilla/5.0 (X11; U; Linux i686; it; rv:1.8.1.4) Gecko/20060601 Firefox/2.0.0.4 (Ubuntu-edgy)"
10.10.10.10 - - [16/Jun/2007:14:26:56 +0200] "GET /images/prova.gif HTTP/1.1" 200 1831 "http://www.example.com/" "Mozilla/5.0 (X11; U; Linux i686; it; rv:1.8.1.4) Gecko/20060601 Firefox/2.0.0.4 (Ubuntu-edgy)"
10.10.10.10 - - [16/Jun/2007:14:26:56 +0200] "GET /images/spacer2.gif HTTP/1.1" 200 43 "http://www.example.com/" "Mozilla/5.0 (X11; U; Linux i686; it; rv:1.8.1.4) Gecko/20060601 Firefox/2.0.0.4 (Ubuntu-edgy)"
10.10.10.10 - - [16/Jun/2007:14:26:57 +0200] "GET /userimgs/first.jpg HTTP/1.1" 200 21253 "http://www.example.com/" "Mozilla/5.0 (X11; U; Linux i686; it; rv:1.8.1.4) Gecko/20060601 Firefox/2.0.0.4 (Ubuntu-edgy)"
10.10.10.10 - - [16/Jun/2007:14:26:57 +0200] "GET /images/second.gif HTTP/1.1" 200 607 "http://www.example.com/" "Mozilla/5.0 (X11; U; Linux i686; it; rv:1.8.1.4) Gecko/20060601 Firefox/2.0.0.4 (Ubuntu-edgy)"
10.10.10.10 - - [16/Jun/2007:14:26:57 +0200] "GET /images/third.gif HTTP/1.1" 200 197 "http://www.example.com/" "Mozilla/5.0 (X11; U; Linux i686; it; rv:1.8.1.4) Gecko/20060601 Firefox/2.0.0.4 (Ubuntu-edgy)"




The system load is 2.00 average (I know, it's high). The problem is the following. Sometimes I receive HTTP requests like this:

10.10.10.10 - - [15/Jun/2007:23:14:00 +0200] "GET /page.php?id=1 HTTP/1.1" 200 16176 "http://www.example.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
10.10.10.10 - - [15/Jun/2007:23:14:01 +0200] "GET /page.php?id=2 HTTP/1.1" 200 16174 "http://www.example.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
10.10.10.10 - - [15/Jun/2007:23:14:01 +0200] "GET /page.php?id=3 HTTP/1.1" 200 16176 "http://www.example.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
10.10.10.10 - - [15/Jun/2007:23:14:01 +0200] "GET /page.php?id=4 HTTP/1.1" 200 16176 "http://www.example.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
10.10.10.10 - - [15/Jun/2007:23:14:01 +0200] "GET /page.php?id=5 HTTP/1.1" 200 16176 "http://www.example.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
10.10.10.10 - - [15/Jun/2007:23:14:01 +0200] "GET /page.php?id=6 HTTP/1.1" 200 16176 "http://www.example.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
10.10.10.10 - - [15/Jun/2007:23:14:01 +0200] "GET /page.php?id=7 HTTP/1.1" 200 16176 "http://www.example.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
10.10.10.10 - - [15/Jun/2007:23:14:01 +0200] "GET /page.php?id=8 HTTP/1.1" 200 16176 "http://www.example.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
10.10.10.10 - - [15/Jun/2007:23:14:01 +0200] "GET /page.php?id=9 HTTP/1.1" 200 16176 "http://www.example.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
10.10.10.10 - - [15/Jun/2007:23:14:01 +0200] "GET /page.php?id=10 HTTP/1.1" 200 16176 "http://www.example.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"


or this:

10.10.10.10 - - [15/Jun/2007:23:14:00 +0200] "GET /page.php HTTP/1.1" 200 16176 "http://www.example.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
10.10.10.10 - - [15/Jun/2007:23:14:00 +0200] "GET /page.php HTTP/1.1" 200 16176 "http://www.example.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
10.10.10.10 - - [15/Jun/2007:23:14:01 +0200] "GET /page.php HTTP/1.1" 200 16174 "http://www.example.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
10.10.10.10 - - [15/Jun/2007:23:14:01 +0200] "GET /page.php HTTP/1.1" 200 16176 "http://www.example.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
10.10.10.10 - - [15/Jun/2007:23:14:01 +0200] "GET /page.php HTTP/1.1" 200 16176 "http://www.example.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
10.10.10.10 - - [15/Jun/2007:23:14:01 +0200] "GET /page.php HTTP/1.1" 200 16176 "http://www.example.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
10.10.10.10 - - [15/Jun/2007:23:14:01 +0200] "GET /page.php HTTP/1.1" 200 16176 "http://www.example.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
10.10.10.10 - - [15/Jun/2007:23:14:01 +0200] "GET /page.php HTTP/1.1" 200 16176 "http://www.example.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
10.10.10.10 - - [15/Jun/2007:23:14:01 +0200] "GET /page.php HTTP/1.1" 200 16176 "http://www.example.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
10.10.10.10 - - [15/Jun/2007:23:14:01 +0200] "GET /page.php HTTP/1.1" 200 16176 "http://www.example.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"


that are malicious crawling attempts (first case) or DOS attacks (second case).
In this cases my server load increase to 30-40 because every request is a query (or more than one because the PHP script query different tables) and I receive hundreds and hundreds of them.
How can I detect and prevent this?
I tried to use mod_evasive apache module, but it's based on request per second, so, for mod_evasive there isn't differences between a normal request (made up by a page and its resources like images, css, js, ecc) and a DOS attack (just page request) because the number of requests per second are the same (in my example the number of requests are 10).

Thanks to everyone and have a great weekend.

Gianni
[/code]
Back to top
View user's profile Send private message
rossonieri#1
Just Arrived
Just Arrived


Joined: 23 Jan 2007
Posts: 0


Offline

PostPosted: Mon Jun 18, 2007 3:54 pm    Post subject: Reply with quote

hi gianniolo,

i think its the time for you to get SNORT Smile
do the inline.

HTH.
[/url]
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register