1

We are under attack since about 2 weeks now and did as much as we can to protect oursefs. mod_reqtimeout is doing the job now but I am confused as what is it that they are hiting

I found this post Server under DDOS attack - How to find out IPs? and ran 

cut -f 2 -d '"' yourweblog.log|cut -f 2 -d ' '|sort|uniq -c|sort -nr|more

the result is strange 

548308 - 4517 / 31794 http://www.mysite.com/

what is this - ?

Traffic tail shows hundreds of 

186.153.249.149 - - [12/Aug/2013:16:31:28 -0500] "-" 408 - "-" "-" 201.240.116.165 - - [12/Aug/2013:16:31:28 -0500] "-" 408 - "-" "-" 201.240.116.165 - - [12/Aug/2013:16:31:28 -0500] "-" 408 - "-" "-" 190.42.110.72 - - [12/Aug/2013:16:31:28 -0500] "-" 408 - "-" "-" 190.42.110.72 - - [12/Aug/2013:16:31:28 -0500] "-" 408 - "-" "-" 190.40.68.68 - - [12/Aug/2013:16:31:28 -0500] "-" 408 - "-" "-" 190.40.68.68 - - [12/Aug/2013:16:31:28 -0500] "-" 408 - "-" "-" 186.1.87.251 - - [12/Aug/2013:16:31:29 -0500] "-" 408 - "-" "-" 186.1.87.251 - - [12/Aug/2013:16:31:29 -0500] "-" 408 - "-" "-" 189.252.92.187 - - [12/Aug/2013:16:31:29 -0500] "-" 408 - "-" "-" 189.252.92.187 - - [12/Aug/2013:16:31:29 -0500] "-" 408 - "-" "-"

and 408 is mod_reqtimeout dropping them

any help is appreciated

Improve this question
3
  • The format of your cut command is incorrect for your log-format. You'll get better results with cut -f 1 -d ' ' as the first field is the IP address you're looking for. Commented Aug 12, 2013 at 21:52
  • 122 68.34.120.177 - - [12/Aug/2013:10:08:08 -0500]... example of cut -f 1 Commented Aug 12, 2013 at 21:57
  • You're missing the -d ' ' bit. Commented Aug 13, 2013 at 2:27

1 Answer 1

Reset to default
0

Do you have control of the server? If so and you have root privileges, I'd suggest going one layer below apache here and packet capture the interface looking for those IP addresses.

tcpdump -n -A -s0 -i <interface> host 186.153.249.149 or host 201.240.116.165...

Like so How to get http requests details in a tcpdump?

You can also write to a pcap file with -W somefile.pcap with the -W flag and then open it in wireshark or another packet inspection program. At that level you should be able to see the HTTP Request before it hits apache. Otherwise I would suggest pasting a sample section of your logs so that we may recommend the correct text filter one-liner. And log formats vary based on configuration.

tcpdump has many options and has a hard learning curve, but it's very powerful. You can get a stream of the requested URLs as they hit the server before they are handed over to apache.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.