Bandwidth DDOS Attack
Sunday(Nov. 4th) while reviewing the stats for Salem-News I noticed the KiloBytes of traffic for the day had more than doubled without a corresponding doubling of the page views.
An investigation began into what could be causing this to happen. Some possible reasons that came to mind:
- Large image files used in heavy hitting stories
- Heavy spider / bot traffic
- Corrupted log file / analyzer
It ended up being what I believe to be a large scale bandwidth sapping DDOS?
The log files looked normal with visits up so I wrote it off a paranoia. But by Monday I knew something was up. The bandwidth for the day was five times that of Sunday with only a 10% increase in other visitors and page views.
A heavy review of log files showed lots of traffic with variations of the following User-Agents: “Java/1.6.0_03″,”Java/1.6.0_02″,”Java/1.5.0_06″,”Java/1.5.0_02″,”Java/1.5.0_07″, And about 30 other variations of these.
Searching through forums and blogs turned up nothing but information on spam harvesters but all of the hits I was seeing were for the same small set of images and coming from an unbelievable amount of IP addresses all of them hitting on a slow but regular basis.
I tried the robots.txt but within a few hours noticed if anything an increase in the traffic.
I tried to find a pattern to these IPs but they were global and non that I tested were another webserver, leading me to believe a large group of zombie PC’s are loaded with DDOS software and a controller somewhere had sent them a list of images to download. None of the IPs showed up as ever visiting anywhere else on the site, only the small set of images.
So then I began to look for a way to stop them. Because the IP’s were to varied to firewall that was not an option. While the user agent was varied it was quite possible to block them with 2 additional lines to my Rewrite rules
RewriteCond %{HTTP_USER_AGENT} ^Java/1.*
RewriteRule ^.* - [F,L]
Another option would have been using the SetEnvIfNoCase User-Agent ^$ bad_bot way but the Rewrite way worked.
Fight Blog Spam with Apache
Now about 8 hours later the hit count continues at about the same rate but they are just receiving a 403 Forbidden instead of a 100k image on each request.
I pulled all of the hits from apaches log files for later analysis.
cat access_log | grep Java >> DDOS.1107.log
I wonder how many of these hits where from some unsuspecting person sitting on their PC unaware their computer is at the control of someone somewhere far away.
Day two of defending against this has been posted: The Denial of Service Attack Continues
November 7th, 2007 at 6:10 pm
[…] more here […]
November 8th, 2007 at 10:23 pm
[…] On Monday November 5th I realized we were undergoing a Denial of Service attack aimed at draining bandwidth. I believe it started rather weak in October but I began to notice the Kilobytes of traffic had grown far higher then it should based on other traffic statistics. See: Day 1 Analyzing and adjusting on day two: Day Two […]
November 11th, 2007 at 7:17 am
Matt et al:
Great job, Matt !
Been expecting something like this ever since we began to be
heavily “invaded” by some whose Comments indicated very deep
and disturbing animus vs open dialog to which they could
find no presentable responses.
Not being as sensitive to this as your high skills have
made you via force of necessity, reaction was confined to
Comment or notes to Tim, with some few indicators felt
from previous sometimes painful similar encounters simply
via printed-page experience…long but great story from days
with Loeb on DAILY NEWS in Burlington, coming later.
This to express personal/professional appreciation for
yr ongoing great work and, here, special skilled sensitivity
“making all the difference”.
AND
To recommend and endorse Tim’s ongoing and very difficult
efforts to keep Comment-standard “clean, dry and respectable”,
either personal attack or diaper-reference.
yrfriendhankatlma
November 12th, 2007 at 1:14 pm
Hey Matt,
I am computer challenged but you did a “hellovajob.” Keep it up my friend.
Skipper