Webmasters Blog - Salem-News.com

Yester day I noticed that Salem-News.com was under a Distributed Denial of Service Attack (DDOS) that seemed to be aimed at using up bandwidth as at its highest rate was no more than 60 per minute and averaging less than 30 per minute, all aimed at images. See: Bandwidth DDOS Attack.

After stopping the bandwidth waste with mod_rewrite it was time to poor through the log files to try and get some more information on how this was happening.

This morning Wednesday November 7^th the hits from the bots where about the same even though they had been receiving 403 Forbidden pages for more than 12 hours.

Rarely did one single bot hit more than 4 or 5 times an hour which I’m assuming must be on purpose to keep the owners of infected PCs from noticing and actually doing anything to keep them free from viruses and trojans.

I noticed however that they had added new images to their list of files being downloaded. This meant that something other than the bots doing the downloading was selecting the images on their behalf.

I had uploaded a set of images for the comic Nota Bene and noticed within 20 minutes one of them was in the rotation of images being downloaded. In order for these bots to have the address of this image someone or other bot without a user agent of Java/1.(various) and must have visited within 20 minutes of the image being uploaded.

(image uploaded at about 8:05 IP’s not shown for possible privacy reasons)

cat /var/log/httpd/access_log | grep nota_bene-67.jpg
***.**.**.*** - - [07/Nov/2007:08:18:05 -0800] "GET /stimg/november072007/nota_bene-67.jpg HTTP/1.1" 200 23919 "-" "-"
***.**.**.*** - - [07/Nov/2007:08:22:56 -0800] "GET /stimg/november072007/nota_bene-67.jpg HTTP/1.1" 403 239 "-" "Java/1.6.0_03"


All of the hits for the image seemed normal but two, one of the Java bots that got a 403 error as expected and one 4 minutes prior to the first bot hit on that image. It contained no referrer and no user agent.

I parsed all of the log files for instances of that IP and it was scattered about and was only found to have accessed image directories and images not one page or non image hit. A whois of that IP showed it to be an AOL IP address.

I firewall blocked the IP wich I knew wouldn’t last too long as AOL IPs are quite dynamic and within 15 minutes it was back with a slightly different IP. So I added to my mod_rewrite block of the Java/1. to no longer allow an empty user agent as well.


RewriteCond %{HTTP_USER_AGENT} ^-?$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^Java/1.*
RewriteRule ^.* - [F,L]


Now this may block some legitimate traffic but it should be minimum and I may write a custom page for those without a proper user agent set to be redirected to explaining why they can not view the site.

Commands I run from time to time to see how many are being blocked. First line shows someones RSS reader getting a 403

cat /var/log/httpd/access_log | grep \ 403\

***.**.**.*** - - [07/Nov/2007:18:58:59 -0800] "GET /index.rss HTTP/1.0" 403 211 "-" "-"
***.**.**.*** - - [07/Nov/2007:18:59:01 -0800] "GET /stimg/november072007/dow_jones.jpg HTTP/1.1" 403 236 "-" "Java/1.6.0-oem"
***.***.**.*** - - [07/Nov/2007:18:59:2 -0800] "GET /stimg/november072007/cheney310.jpg HTTP/1.1" 403 236 "-" "Java/1.5.0_10"


I have not yet had time to fully analyze the log files to see how many unique bots are involved but I roughly estimate at more than 1500 hitting approximatly 400,000 times over the last 3 days. Todays Bandwidth usage was 1/3^rd that of yesterday and 1/8^th of Mondays even though the real visitor and page count is higher.

Now I’m going to have to assume if they want to continue and actually do some damage they will have to alter their user agent string. I’m hoping this won’t be easily done as it would be much harder to stop.

(The last spike was from Digg on a news story)

Posted: Wednesday, November 7th, 2007 at 7:22 pm under: linux, apache, Security. Comment Feed (RSS 2.0). Interact: Comment or Trackback.