Under attack what source url source would this be?

Question

We are under attack since about 2 weeks now and did as much as we can to protect oursefs. mod_reqtimeout is doing the job now but I am confused as what is it that they are hiting

I found this post Server under DDOS attack - How to find out IPs? and ran

cut -f 2 -d '"' yourweblog.log|cut -f 2 -d ' '|sort|uniq -c|sort -nr|more

the result is strange

548308 -
4517 /
31794 http://www.mysite.com/

what is this - ?

Traffic tail shows hundreds of

186.153.249.149 - - [12/Aug/2013:16:31:28 -0500] "-" 408 - "-" "-"
201.240.116.165 - - [12/Aug/2013:16:31:28 -0500] "-" 408 - "-" "-"
201.240.116.165 - - [12/Aug/2013:16:31:28 -0500] "-" 408 - "-" "-"
190.42.110.72 - - [12/Aug/2013:16:31:28 -0500] "-" 408 - "-" "-"
190.42.110.72 - - [12/Aug/2013:16:31:28 -0500] "-" 408 - "-" "-"
190.40.68.68 - - [12/Aug/2013:16:31:28 -0500] "-" 408 - "-" "-"
190.40.68.68 - - [12/Aug/2013:16:31:28 -0500] "-" 408 - "-" "-"
186.1.87.251 - - [12/Aug/2013:16:31:29 -0500] "-" 408 - "-" "-"
186.1.87.251 - - [12/Aug/2013:16:31:29 -0500] "-" 408 - "-" "-"
189.252.92.187 - - [12/Aug/2013:16:31:29 -0500] "-" 408 - "-" "-"
189.252.92.187 - - [12/Aug/2013:16:31:29 -0500] "-" 408 - "-" "-"

and 408 is mod_reqtimeout dropping them

any help is appreciated

The format of your `cut` command is incorrect for your log-format. You'll get better results with `cut -f 1 -d ' '` as the first field is the IP address you're looking for. — sysadmin1138, Aug 12 '13 at 21:52
122 68.34.120.177 - - [12/Aug/2013:10:08:08 -0500]... example of cut -f 1 — Benn, Aug 12 '13 at 21:57

score 0 · Answer 1 · edited Apr 13 '17 at 12:14

Do you have control of the server? If so and you have root privileges, I'd suggest going one layer below apache here and packet capture the interface looking for those IP addresses.

tcpdump -n -A -s0 -i <interface> host 186.153.249.149 or host 201.240.116.165...

Like so How to get http requests details in a tcpdump?

You can also write to a pcap file with -W somefile.pcap with the -W flag and then open it in wireshark or another packet inspection program. At that level you should be able to see the HTTP Request before it hits apache. Otherwise I would suggest pasting a sample section of your logs so that we may recommend the correct text filter one-liner. And log formats vary based on configuration.

tcpdump has many options and has a hard learning curve, but it's very powerful. You can get a stream of the requested URLs as they hit the server before they are handed over to apache.

Under attack what source url source would this be?

1 Answers1