-1

Do requests like these look like a DDOS attack ?

180.157.250.126 /9301451791bb460e8a5aec3e123884ba.jpg <<< match
180.157.250.126 /b29a2302afd6dfd918a2b7c3b6a05e31.jpg <<< match
183.199.78.159  /img/6445ae665386ca14406c1d8614d44b36.jpg <<< match
183.199.78.159  /d05e8990820ca4c62da2c02154bf7573.jpg <<< match
218.199.166.231 /cover/20190408/EdhmxRHDT_cover.jpg
120.84.247.19   /2019/04/08/707fc44cfdd64db9a98fb258a9156fd1.png <<< match
120.229.106.161 /dba2213c45576d6392a48a6d36c44af7.jpg <<< match
14.127.121.215  /cover/20190408/bTr7qsknE_cover.jpg
117.157.137.137 /cover/20190409/m1uqOsrjN_cover.jpg
117.157.137.137 /cover/20190409/gAF2uRaiJ_cover.jpg
171.223.171.152 /5bd3a6215e39050e07eb6411ef08e3b1.jpg <<< match
220.164.38.69   /6da51bd2d2dcb4abd32803d02ad4c008.jpg <<< match

I am blocking them automatically now by creating filters to match them, then ban the IP in iptables. There are around 50 new IPs every minute and I blocked 17000 unique IPs so far.

To me it looks like the paths are automatically generated, usually 32 characters (like md5), the paths are non-existent but I cannot be 100% sure they never were valid URLS, the target domain is parked/unused on my server.

All IPs seem to be from China.

adrianTNT
  • 1,077
  • 6
  • 22
  • 43

1 Answers1

0

If you were under a major DDOS attack your system would be unresponsive. I run a server at home and I have tons of requests like this, it's just bots looking for servers to exploit, or maybe just web crawlers depending on what was previously hosted at that location.

Bob Dole
  • 96
  • 3
  • server was unresponsive (until I started banning IPs), Apache replying with delays, mysql showing too many connections, etc. – adrianTNT Apr 08 '19 at 19:28
  • Can you look back on your logs and see if these pages have always been requesting these pages even before the server became unresponsive? Maybe it is a DDOS attack but it's hard to say for sure without knowing what the server previously was and if these would have been valid requests at one point. – Bob Dole Apr 08 '19 at 19:42
  • I did find maaaany hits to same exact "random" urls, it is strange because there is a .com domain that links to same site name but with .org extension, I need to look more into it. – adrianTNT Apr 08 '19 at 20:06