H
H
HiNester2021-11-10 07:51:54
Computer networks
HiNester, 2021-11-10 07:51:54

Apache http server attack, Constant requests with IP from the network, How to get rid of it?

There are various entries constantly coming into the access.log file (here are a few for example):

163.172.44.79 - - [10/Nov/2021:16:24:42 +1200] "GET https://nanqiang.vip/ HTTP/1.1" 200 879 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Googlebot/2.1; + www.google.com/bot.html ) Safari/537.36"

163.172.44.79 - - [10/Nov/2021 :16:24:42 +1200] "GET https://nanqiang.vip/ HTTP/1.1" 200 879 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ 67.0.3599.0 Safari/537.36"

95.182.120.9 - - [10/Nov/2021:16:24:42 +1200] "CONNECT m.youtube.com:443 HTTP/1.1" 405 224 "-" "-"

140.207. 201.152 - - [10/Nov/2021:16:24:42 +1200] "HEAD httpbin.orgHTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0 ) Gecko/20100101 Firefox/34.0"

And there are a lot of them, in just a couple of minutes it runs into several megabytes. I think it goes some kind of attack, but what is the meaning of this attack and how to get rid of them?

Answer the question

In order to leave comments, you need to log in

4 answer(s)
M
mtNATS, 2021-11-10
@mtNATS

https://www.cloudflare.com/

K
ky0, 2021-11-10
@ky0

There are two and a half options:
1. Your IP address was previously used to host some popular sites whose owners forgot to change their DNS settings (unlikely, but it happens).
2. This is standard internet spam vulnerability scanners.
2.5. This is indeed a DDoS attack.
You don’t need to do anything special with the first one - just hang a stub in the web server with 403 for requests to all non-existent domains. In the second case, you need to see if this is really an attack, and in this case, at least ban by IP.

A
AUser0, 2021-11-11
@AUser0

Judging by the above logs, your HTTP server believes that absolutely all-all-all requests are intended for it. However, it does not respond with a 404 error to completely foreign domain names (for example, nanqiang.vip and httpbin.org). That is, your HTTP server is configured in the "default server" mode, when a request with absolutely any domain name is considered acceptable and is processed normally (files are read, content is generated, all this load on the CPU).
You need to set Apache to one, two, three, etc. specific domain names so that Apache fully serves only them. And for all other domain names, it will instantly respond with a 404 error.
Of course, this will not get rid of such spammers, but at least the server will be configured more correctly (there will be less CPU load), and spammers will receive an instant thrashing in the form of an error.
PS It is quite possible that a proxy server used to work on your IP address (obviously on port 80). And those computers on the Internet that were configured to proxy on this IP address are still trying to use it as a proxy server. True, they are no longer able to fully navigate WEB sites through your server, but they still try (the setting has not been canceled yet). It remains to endure ... Or change the IP address. Or switch to port 443.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question