0

IP is hidden in apache log for privacy, except last octet. /billing is our application start page. But it doesn't make sense that it sends POST requests, and get 500 response.

Or maybe this is legitimate old IE 7 browser who can't handle our site, ant sets into loop?

There is about 20000 such requests

xx.xx.xx.223 - - [30/May/2014:13:40:54 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
xx.xx.xx.223 - - [30/May/2014:13:40:54 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
xx.xx.xx.223 - - [30/May/2014:13:40:54 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
xx.xx.xx.223 - - [30/May/2014:13:40:54 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
xx.xx.xx.223 - - [30/May/2014:13:40:55 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
xx.xx.xx.223 - - [30/May/2014:13:40:55 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
xx.xx.xx.223 - - [30/May/2014:13:40:56 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
xx.xx.xx.223 - - [30/May/2014:13:40:56 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
xx.xx.xx.223 - - [30/May/2014:13:40:56 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
xx.xx.xx.223 - - [30/May/2014:13:40:56 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
xx.xx.xx.223 - - [30/May/2014:13:40:58 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
xx.xx.xx.223 - - [30/May/2014:13:40:58 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
xx.xx.xx.223 - - [30/May/2014:13:40:58 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
xx.xx.xx.223 - - [30/May/2014:13:40:59 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
Abhijeet Kasurde
  • 983
  • 9
  • 20
gilbertasm
  • 95
  • 2
  • 13
  • 2
    there is insufficient information here to tell what this is - other than something is being posted to the page that is resulting in an error being thrown. it's not a browser that can't handle your site. it's something (possibly a browser) posting to your site causing a server error. – bkr May 31 '14 at 02:25
  • Saying there are 20,000 from that IP without a timeframe is uninformative. What does `netstat` say about the number of simultaneous open connections from that IP? I'd use `tcpdump` (or `tshark`) to watch what that IP is doing. – Mark Wagner May 31 '14 at 02:36
  • My guess is a spam bot. Lots of them choose to use very old user agents and post spam as fast as a single thread will allow. I still see IE 5.5 on spam bots. The `tcpdump`/`tshark` output will make this obvious. – Ladadadada May 31 '14 at 06:46

2 Answers2

3

This does not appear to be a slowloris attack, at least not based on the log file you've posted (3 requests per second is not much, and they're erroring out, not being held open).
It may be something else though - Check your error log for more information on WHY the requests are failing.

As others have pointed out, we can't definitively rule out slowloris without more information (specifically, netstat output showing how many simultaneous connections your system has from the subject IP(s)).
A large number of simultaneous connections (and/or the error log showing that the connections timed out rather than erroring out for some other reason) would indicate that this is in fact a slowloris attack.

This is a Slow Loris:
Adorable Sloth
It has no relevance to my answer - I just wanted an excuse to post a cute sloth picture.

voretaq7
  • 79,879
  • 17
  • 130
  • 214
0

I find it useful to use a LogFormat including %D. That will tell you how many microseconds processing the request took. It won't tell you if the time was spent on server side processing or waiting for the client. But at least it will tell you which requests took a long time, and those are usually worth investigating.

kasperd
  • 30,455
  • 17
  • 76
  • 124