Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
What to do if a Virus targets/DDoS's your web site?

By hulkster in Technology
Sat Oct 15, 2005 at 11:22:07 PM EST
Tags: Help! (Ask Kuro5hin) (all tags)
Help! (Ask Kuro5hin)

For years, I've had browser info and geolocation script on my web server that was a quick Perl/CGI hack. So normally, this script gets about a thousand hits/day, but there was a ten-fold increase starting October 4th, 2005. It continues to increase and a week later, there were 74,886 hits (almost one/second) from 8,206 unique IP addresses - YIKES! Complete data (including raw Apache log data) can be seen here.


Looking at the Apache logs, all the "new surfers" are showing up without a Referer or User-Agent .. the later is unusual because while it can be spoofed, it's rarely done. My guess is that some virus (or program) is propogating out there in the "wild" and query'ing my web site for some piece of information as part of the program itself. So what the heck is this, who/where did it come from, what is the intent, and why is it using my hack script?

I may never know the answers to the above, but what should I do about it? If it was hot-linking images, I could have some fun with mod_rewrite and return something else - from past experience, this is usually "successful" (!) in stopping the traffic - folks more neferious than I will suggest Goatse. But I don't think the people at the querying hosts are even aware this is being done and I doubt they see directly whatever the data is being used for.

I allready tweaked the script so that if there is no User-Agent, it returns data for IP address 10.10.10.10 (which is a private address per RFC1918) so that info isn't too interesting. Other options in the script itself would be doing a 301/302 redirect - heck, maybe I'll send 'em all to Microsoft.Com although the 127.0.0.1 loopback would be more appropriate. Or I could return a 403 Forbidden to those web browsers that don't send a User-Agent. More drastically, I could rename the script so a 404 Not Found is returned, although that breaks things for legit surfers.

But in all of these cases, these traffic requests would continue to come into my dinky 3.2 GHz Pentium Linux box. While it can handle the current rate (Apache2 and mod_perl ROCKS), I'm concerned if it continue to increase. Is there any way of getting this turned off and/or other suggestions from K5'ers?

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o browser info and geolocation script
o Complete data (including raw Apache log data) can be seen here.
o (which is a private address per RFC1918)
o Microsoft. Com
o Also by hulkster


Display: Sort:
What to do if a Virus targets/DDoS's your web site? | 47 comments (30 topical, 17 editorial, 0 hidden)
It's not a virus (2.40 / 5) (#5)
by HDwebdev on Thu Oct 13, 2005 at 01:01:47 PM EST

It's Norton Internet Security & related privacy programs that are blocking that information.

I noticed the problem a few weeks ago. A site I had been checking for updated images of 3d model skins suddenly started showing broken images in every browser I tried. That site has an anti-leech script running.

Looking at my privacy settings, I noticed that blocking referers was enabled although I had never changed or even noticed that setting.

Your increased traffic is most likely due to google recently bumping up your site ranking in different searches due to the several hundred pages that link directly that specific page.

yes, but... (none / 1) (#6)
by smegmatic on Thu Oct 13, 2005 at 01:19:28 PM EST

based on the volume, it probably is a virus. not that many people have norton internet security, and they wouldn't all activate it at the same time and attack his site.

[ Parent ]
smegmatic is correct (none / 1) (#10)
by hulkster on Thu Oct 13, 2005 at 03:33:20 PM EST

Yea, there's no other reason for a 10-fold increase in traffic. Plus as mentioned in the writeup, it's unusual for an http request to come in without a User-Agent, and all of these do ... so it's something coordinated.

[ Parent ]
never rule out all possibilities (3.00 / 2) (#21)
by HDwebdev on Thu Oct 13, 2005 at 10:07:14 PM EST

Yea, there's no other reason for a 10-fold increase in traffic.

I understand your belief, but that is not a good way to trouble-shoot without more information.

Sure, there can be an alternate explanation. I don't think the traffic has increased enough to warrant an "it can only be a virus" explanation.

As you mentioned in your write-up, it could possibly be a "legitimate" program that's leeching off of you. In that case, you know what to do: change your script to not feed information to those ip's and the program creator will have to find a new source.

Also, on which date did you switch to apache2? I see that you mention in an October update that you upgraded so if you did that on the 3rd or 4th, that could be a problem.

A virus it may well be indeed. But, I wouldn't assume it's the only possiblity.

[ Parent ]
Never having had a website (none / 1) (#26)
by daani on Fri Oct 14, 2005 at 06:18:36 AM EST

I really wouldn't know.

But if it's a virus, there might be other patterns to indicate that. eg. Maybe you would get everyone on a corporate subnet hitting you on a single day or something. Or an IP might query you on a suspiciously regular basis, like every 48 hours.

Aside: I don't think you should forward dodgy requests to microsoft. You never know, that might come back and bite you :)

[ Parent ]

ns (none / 1) (#35)
by Intelligentsia on Fri Oct 14, 2005 at 05:26:03 PM EST

and don't google's bots also come with a user agent string?

We need to prove that we can spread rumors just like the mainstream media.—waxmop


[ Parent ]
Ummm (2.00 / 4) (#8)
by some nerd on Thu Oct 13, 2005 at 03:12:02 PM EST

I assume there's some reason why you can't just rename it, thus denying malicious access whilst retaining functionality for everyone?

You'd still have the requests coming in, of course. I can't see any way around that short of some sort of trivial HTTP proxy or upstream filter to automatically dump the bad requests instead.

--
Home Sweet Home

If I rename it, I have to change all references (none / 1) (#11)
by hulkster on Thu Oct 13, 2005 at 03:46:38 PM EST

I have a number of pages on my web site that refer to this URL, so if I rename it, then all of those "break" ... so I'm reluctant to do that solution. And yea, the requests still come in, but they would get a quick 404 rather than hammering the web server ... I doubt my ISP would want to add upstream filters since I'm just a dinky little web site and in their big picture of things, the traffic isn't that much ... YET!

[ Parent ]
Use a client-side redirect (none / 0) (#45)
by PigleT on Mon Oct 17, 2005 at 07:03:23 AM EST

Rename the page, and put an old one in place that uses a meta-header to implement a quick redirect.

If there's a bot slamming the original URL, the chances are it won't follow the link. If it's real people and browsers, they won't be unduly penalized for it.

Bonus points: make the replacement-old page issue a cookie and check for its existence in the new page.

This way, DDoS is limited to serving a cheap page (nothing but HTML or PHP for the cookie) and a cookie-existence-check in the resource-heavy script.
~Tim -- We stood in the moonlight and the river flowed
[ Parent ]

Don't respond (2.85 / 7) (#13)
by StephenThompson on Thu Oct 13, 2005 at 04:40:26 PM EST

If you get a request that has no user-agent, why respond at all? Don't respond, force them to time-out; eventually they may detect you are offline and stop. If this is a ddos, its not a very good one, since the number of requests isnt so high. It could just be someone mistyped an IP address someplace and is accidentally forwarding requests to you. Not responding at all will also help in this case since it might cause them to notice the error. Also, those logs are pretty crappy. Capture the raw packets instead, usually you can find more useful information that isnt being parsed.

Second that (none / 1) (#16)
by rusty on Thu Oct 13, 2005 at 05:51:21 PM EST

Before, pretty much all the traffic has a user-agent. Now hardly any of it does. It's safe to drop those requests, or fail to respond to them.

____
Not the real rusty
[ Parent ]
You have too many "quotation" marks (2.00 / 6) (#18)
by The Vast Right Wing Conspiracy on Thu Oct 13, 2005 at 08:42:05 PM EST

And learn how to use apostrophe's you asshat.
(ror)

___
I'm a pompous windbag, I take myself far too seriously, and I single-handedly messed up K5 by causing the fiction section to be created. --localroger

Strunk and White (none / 0) (#42)
by xmnemonic on Sun Oct 16, 2005 at 05:57:56 PM EST

Colloquialisms. If you use a colloquialism or a slang word or phrase, simply use it; do not draw attention to it by enclosing it in quotation marks. To do so is to put on airs, as though you were inviting the reader to join you in a select society of those who know better.


[ Parent ]
So (2.14 / 7) (#19)
by Hung Fu on Thu Oct 13, 2005 at 08:48:31 PM EST

what is this virus doing that it needs to know the country it's in? Is it a racist virus?

__
From Israel To Lebanon
referers.. (3.00 / 4) (#22)
by irrefutable on Thu Oct 13, 2005 at 10:32:39 PM EST

I've bookmarked your site; when i go there, it says that there is no referer..
So, perhaps people are using your site to determine their IP number (people with dynamic IP's). That's why I went there.

Various methods (2.57 / 7) (#24)
by jd on Fri Oct 14, 2005 at 12:29:28 AM EST

It depends on how thorough you want to be, how much time you want to spend and how skilled you are at low-level operations.

  • Very simple, quick, easy solution:
    1. In your Apache configuration file, add the line: xbithack on
    2. Have your initial page an ordinary .HTML file, but make it executable (this is important).
    3. Using Apache's Server-Side Includes, have the proper contents of the page conditional on there being a non-null User Agent. If the User Agent is null, then have it display a different page (telling the user their browser is messed up) or a line that redirects the browser to 127.0.0.1
  • Slightly more complex solution:
    1. If it's a hostile, then the chances are they're not using a language setting either. Enable multiviews in the Apache configuration file.
    2. Modify Apache's configuration to set the extension if NO language is found to something like .bogus
    3. Rename all HTML files to have a .en extension, then symlink to the other languages. Not sure if CGI has multiview support, you'll need to check that.
    4. Anyone with no language set will try to load a .bogus file, which doesn't exist and so will return an error.
  • Kernel Hacker's Approach I
    1. Install the Layer 7 packet filters.
    2. Set up a firewall that uses the Layer 7 filters to exclude HTTP packets that do not have user agent information
  • Kernel Hacker's Approach II
    1. The big problem is bandwidth usage. Attach CBQ queueing discipline to your ethernet device, then create two classes - one for web traffic and one for everything else. The "everything else" queue should be able to steal bandwidth from the web traffic.
    2. You want to make sure that everyone gets a fair chance at accessing the web server, so you'd use SFQ (which is supplied with Linux) or WFQ (which is downloadable elsewhere) as a leaf discipline to prevent any one user from blocking the network.

If you think it's someone trying to break in by using known attacks against Apache, then you may want to install Roxen which is at least as secure and may even be faster than Apache 2.0 in some cases.

Dinky? (1.55 / 9) (#25)
by The Vast Right Wing Conspiracy on Fri Oct 14, 2005 at 01:09:08 AM EST

If your 3.2GHz P4 can't handle 1 connection per second, you fucked up bad.

PS, learn to use mod_rewrite.

___
I'm a pompous windbag, I take myself far too seriously, and I single-handedly messed up K5 by causing the fiction section to be created. --localroger

Yea, but what if it increases ... (3.00 / 2) (#30)
by hulkster on Fri Oct 14, 2005 at 10:45:10 AM EST

I just added a sentance to clarify this, but yea, one/second is annoying, but with Apache2 and mod_perl, the server can handle that load. But it has increased almost two orders of magnitude - if it does that again, it's going to get "interesting"

I allude in the writeup to mod_rewrite which I'm fairly familier with - that's certainly a way to redirect/drop these type of requests.

[ Parent ]

Don't be rude, jackass. (1.50 / 4) (#31)
by sudog on Fri Oct 14, 2005 at 12:42:19 PM EST



[ Parent ]
Suck my balls. (1.12 / 8) (#37)
by The Vast Right Wing Conspiracy on Sat Oct 15, 2005 at 12:21:39 AM EST



___
I'm a pompous windbag, I take myself far too seriously, and I single-handedly messed up K5 by causing the fiction section to be created. --localroger

[ Parent ]
hostip is none too accurate (2.00 / 2) (#28)
by gordonjcp on Fri Oct 14, 2005 at 07:32:27 AM EST

It says I'm in Greenock, which is a biggish town about 35 miles south (by road). I'm in Glasgow, which is the largest city in Scotland. As far as I know, the head end for nthell isn't even in Greenock, it's across the river in Renfrew.

Give a man a fish, and he'll eat for a day. Teach a man to fish, and he'll bore you rigid with fishing stories for the rest of your life.


Not too bad (none / 0) (#44)
by Fred_A on Sun Oct 16, 2005 at 11:22:11 PM EST

At least it got the country right, ip_to_country.pl placed me in the US (and I don't use AOL)...

hostip got the city wrong for me as well (never heard of the one that popped up), but then it works with class C blocks. ISPs could well use addresses from the same /24 block for subscribers spread over a fairly wide area nowadays.

Fred in Paris
[ Parent ]

Kids These Days! (1.33 / 6) (#33)
by MichaelCrawford on Fri Oct 14, 2005 at 03:37:06 PM EST

You wrote:

my dinky 3.2 GHz Pentium Linux box.

Back in my day, when I learned to write my first GUI applications on a used Mac Plus (used because that's all my roommate and I could afford by going in on it together), I had to settle for a 6 Mhz 68000 Mac OS System 5 box.

Thank your lucky stars you have such a dinky machine. At least you have a hard drive. All I could afford was an external floppy drive.


--

Live your fucking life. Sue someone on the Internet. Write a fucking music player. Like the great man Michael David Crawford has shown us all: Hard work, a strong will to stalk, and a few fries short of a happy meal goes a long way. -- bride of spidy


Well of course you are free... (none / 1) (#46)
by satyr on Mon Oct 17, 2005 at 07:16:19 PM EST

...to share this with us, but it surely isn't related at all to the OP's problem !!

regards, satyr

SIGNATURE:

________________

Male, relatively young and relatively well-preserved. :) I see myself as an open-minded person, a critical thinker, rationalist and skeptic.
[ Parent ]
The Virus Probably Doesn't Validate It's Input (2.25 / 4) (#34)
by MichaelCrawford on Fri Oct 14, 2005 at 03:40:30 PM EST

I bet the chances are pretty good that the virus itself has a buffer overflow vulnerability on the data your server returns to it. Maybe if you can get a sample of the virus, you can figure out how to smash its stack in such a way as to display a message box that says "Your Computer is Infected with the (whatever) Virus" each time it queries your server.

Alternatively, you could have the virus download the Debian net install, reformat their hard drive, and install an operating system that's more resistant to viruses.


--

Live your fucking life. Sue someone on the Internet. Write a fucking music player. Like the great man Michael David Crawford has shown us all: Hard work, a strong will to stalk, and a few fries short of a happy meal goes a long way. -- bride of spidy


WTF is still using DOS? (1.16 / 6) (#36)
by Chewbacca Uncircumsized on Fri Oct 14, 2005 at 10:58:58 PM EST

$$$$$$$$$$$

Most probably... (1.83 / 6) (#40)
by n0mj121 on Sun Oct 16, 2005 at 06:58:09 AM EST

you wrote the virus yourself, in a Fight Club style schizophrenic 'I am someone else while I sleep' episode, and when you finally figure out why it is hitting your script, you'll know the answer to the Ultimate Question. And ascend to the next layer of reality.

You didn't really explain your architecture... (none / 0) (#41)
by skyknight on Sun Oct 16, 2005 at 08:56:12 AM EST

Is this intended to be a publicly accessible resource, or something that you can control in some meaningful way? Are your "legit surfers" well known, such that you could employ firewall rules or some kind of user identification and authentication? Explain your use cases more thoroughly and I might have some more concrete suggestions. Of course, if your answer is "I want anyone to be able to access it without having to present credentials", then you're mostly out of luck. In that case, the only thing you could really do is to impose some kind of rate limiting scheme, though if the requests coming into your site are from completely random networks then you aren't going to find much help from this idea.

It's not much fun at the top. I envy the common people, their hearty meals and Bruce Springsteen and voting. --SIGNOR SPAGHETTI
You must check out this picture (none / 0) (#43)
by freality on Sun Oct 16, 2005 at 10:22:53 PM EST

It's what inbound traffic routes to a site look like during a massive DDOS: http://www.prolexic.com/zr/zombiereportq12.edit.png Go to the directory of the image for description. About what to do: use a bloom filter (check for it on wikipedia or in squid cache documentation) to efficiently maintain a membership set of IPs for offending hosts and send ICMP reject messages, with the hopes the upstream admin from their system will see their traffic and cut their connection. or reverse-infect the hosts using the same 'sploit that got them coming to you and send a message bacck to the originator before cleaning the hosts up with a microsoft update patch. hahah. that'd be great.

Has 2 be a way. (none / 0) (#47)
by RickJamez on Thu Apr 27, 2006 at 11:02:19 PM EST

Well if its hosted at ThePlanet or one of the bigger data networks they can quickly filter it or change some dns settings..im sure theres a way.
free cell phone wallpapers
What to do if a Virus targets/DDoS's your web site? | 47 comments (30 topical, 17 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!