All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Unusual packets hitting server
KwiceroLTD
Member
I've been puzzeled with this for a day now, a ton of unusual packets hitting the server, all coming from public proxies (I googled a few ips), and TOR.
All carrying this message which I found by logging all POST data - access logs near end of post:
are%3Dyou%26prepared%3Dfor%26z3r0_d32tr0y3r%3Dv1%26imustdestroy%3D1
Which is (without URL encoding):
are=you&prepared=for&z3r0_d32tr0y3r=v1&imustdestroy=1
Which I can translate easily to:
Are you prepared for z3r0_d32tr0y3r v1 imustdestroy 1
And that's sent over POST. The attack isn't making the server become offline, but it's causing the occasional drop.
Suspect Traffic:
5.79.68.161 - - [28/Mar/2015:08:25:00 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (BlackBerry; U; BlackBerry 9850; en-US) AppleWebKit/534.11+ (KHTML, like Gecko) Version/7.0.0.254 Mobile Safari/534.11+"
5.79.68.161 - - [28/Mar/2015:08:25:03 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
85.214.98.239 - - [28/Mar/2015:08:25:05 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
85.214.98.239 - - [28/Mar/2015:08:25:07 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (PLAYSTATION 3; 3.55)"
85.214.98.239 - - [28/Mar/2015:08:25:09 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Linux; U; Android 4.0.3; ko-kr; LG-L160L Build/IML74K) AppleWebkit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30"
85.214.98.239 - - [28/Mar/2015:08:25:10 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A"
85.214.98.239 - - [28/Mar/2015:08:25:12 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A"
85.214.98.239 - - [28/Mar/2015:08:25:14 -0400] "POST / HTTP/1.1" 200 14658 "-" "Opera/12.02 (Android 4.1; Linux; Opera Mobi/ADR-1111101157; U; en-US) Presto/2.9.201 Version/12.02"
91.213.8.236 - - [28/Mar/2015:08:24:34 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
188.226.139.158 - - [28/Mar/2015:08:24:34 -0400] "GET / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/98 Safari/537.4 (StatusCake)"
194.150.168.79 - - [28/Mar/2015:08:24:37 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Linux; U; Android 4.0.3; ko-kr; LG-L160L Build/IML74K) AppleWebkit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30"
194.150.168.79 - - [28/Mar/2015:08:24:40 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A"
194.150.168.79 - - [28/Mar/2015:08:24:44 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
176.126.252.12 - - [28/Mar/2015:08:24:46 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (BlackBerry; U; BlackBerry 9850; en-US) AppleWebKit/534.11+ (KHTML, like Gecko) Version/7.0.0.254 Mobile Safari/534.11+"
176.126.252.12 - - [28/Mar/2015:08:24:48 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A"
176.126.252.12 - - [28/Mar/2015:08:24:50 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A"
176.126.252.12 - - [28/Mar/2015:08:24:52 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (PLAYSTATION 3; 3.55)"
176.126.252.12 - - [28/Mar/2015:08:24:54 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (PLAYSTATION 3; 1.00)"
One IP lookup:
IP: 176.126.252.12 Decimal: 2961112076 Hostname: aurora.enn.lu ISP: Alistar Security Srl Organization: Alistar Security Srl Services: Confirmed proxy server
Any idea what's going on and how to drop the requests without dropping actual users? Never seen this before. It's causing downtime on my server.
Comments
Seems like a Layer7 (HTTP, POST) attack
On the surface it seems as such, however I've got filters already in place to rid out HTTP HEAD/POST attacks, and this is seeming to fly right through it.
I just received an attack on my website as well.. Seems like someone here is lurking and attacking websites -.-
Seems like you're having a issue with GET requests, I'm getting hit with POST requests. Any idea to mitigate this? TOR is easy to block, just check with tor's atlas, if it exists, block, however it's the other open proxies which are a problem.
"Alistar Security Srl" lol is a romanian company, and about atak ... firewall ?
IPTables drop is always a nice thing to do.
Or you could log these weird requests and then send the IP to a database and if that IP is found again it will perma ban them from the site
enn.lu hosts (a) tor node(s). I'd say block tor node IPs with nginx and/or get behind cloudflare.
It's more than TOR ip's, there's also public proxies in the access log, etc.
yeh but blocking TOR would be a good start, don't you think?
And then I'd take IPs from the hidemyass proxy list
https://www.dan.me.uk/tornodes
Find their assigned blocks and block them?
here you go @KwiceroLTD
https://ipinfo.io/AS60118
Not very smart of them to put the ego URL stuff on there. This makes your task of finding their IPs a lot easier.
Attack mitigated.
If you are running nginx my nginx ban list should help.
https://www.qwdsa.com/converse/threads/nginx-ban-list-stopforumspam.63/
And more logs, causing the server to be completely blocked.
http://pastebin.com/Yjy7t1Fi
Yeah, now you are being hit by a ddos / botnet.
@KwiceroLTD, better to go after the attack signature and write a regex in fail2ban/IDS/IPS to deal with it (and then firewall larger subnets as necessary), IMHO.
Going after IP's will be never ending and frustrating; better to go after the behavior/attack vector.
If you need more specifics, PM me. ( @MeanServers should be able to vouch for my suggestions. I provided them a solution via PM so as not to publicize it to the attacker. )
Yep, and my site's blocked now by hosting provider, for minimum of 24 hours, and they refuse to give me a backup of data, only backup I have is from last night.
Let me help you out I can host you on my ovh node that has ddos protection.
by the way who is your hosting provider?
send me a pm and I will give you access to a vps on my ovh node for free.
sorry I don't discuss access details out in public for the safety and security of my nodes.
I have OVH servers already, working on migrating everything over currently, just wanting them to give me a latest backup copy before I put it live again.
okay sure I wish you the best @KwiceroLTD and hope you get this sitution fixed.
And someone just attacked my image.tf server.. How low can people go really..
Edit:
Joodle.nl is getting attacked as well, retards.
Yeah, I'm nullrouted here. Just going to put it behind OVH or Voxility in a bit.
Yep same here, currently reinstalling an OVH VPS with a fresh Debian 7 install
If you guys don't change the IPs of your current server after installing the reverse proxy, it's extremely easy for the attacker to keep attacking the backend server instead of the new one. Just my two cents...
Yeah, we are aware... I'm switching over to OVH, new IP's, everything.
Switching totally to OVH, no reverse proxy here.
Yep, same. I'm getting tired of kids with nothing better to do attacking sites.
Take it easy
Nothing personal!
I keep seeing this now.. Nothing is currently hosted on my domain (joodle.nl @ OVH)
Same IP over and over again.. And no, that file is not on the main domain he's accessing. (should be ktd.joodle.nl..)