作者 主題: 這是什樣的攻擊,讓Server幾乎掛點?!  (閱讀 6099 次)

0 會員 與 1 訪客 正在閱讀本文。

Aeolus

  • 懷疑的國中生
  • **
  • 文章數: 36
  • 性別: 男
  • Aeolus
    • 檢視個人資料
這是什樣的攻擊,讓Server幾乎掛點?!
« 於: 2010-03-09 08:09 »
有1500筆左右,Server變牛步.

Thanks.

/var/log/apache2/access.log
引用
58.60.14.231 - - [07/Mar/2010:21:20:58 +0800] "GET /forum/index.php?app=forums&forumid=2&i=1?s=561a958d6c90a57d39087982b57f8273&marktype=forum&module=forums&returntoforumid=0&section=markasread HTTP/1.1" 302 - "http://ipb.tw/forum/index.php?app=forums&forumid=2&i=1?s=561a958d6c90a57d39087982b57f8273&marktype=forum&module=forums&returntoforumid=0&section=markasread" "Mozilla/4.0 (compatible; MSIE 6.0)"
58.61.32.55 - - [07/Mar/2010:21:20:55 +0800] "GET /forum/index.php?/topic/131-%E5%8D%A1%E8%BE%B2%E7%9A%84%E7%90%B4%E8%AD%9Cpdf%E6%AA%94/ HTTP/1.1" 200 168375 "http://ipb.tw/forum/index.php?/topic/131-%E5%8D%A1%E8%BE%B2%E7%9A%84%E7%90%B4%E8%AD%9Cpdf%E6%AA%94/" "Mozilla/4.0 (compatible; MSIE 6.0)"
58.60.14.241 - - [07/Mar/2010:21:20:55 +0800] "GET /forum/index.php?/forum/20-%E6%86%B6%E7%B6%B2%E6%83%85%E6%B7%B1/?s=eafc57480c55000ae38913632f06bc69' HTTP/1.1" 200 104744 "http://ipb.tw/forum/index.php?/forum/20-%E6%86%B6%E7%B6%B2%E6%83%85%E6%B7%B1/?s=eafc57480c55000ae38913632f06bc69'" "Mozilla/4.0 (compatible; MSIE 6.0)"
58.61.32.55 - - [07/Mar/2010:21:21:00 +0800] "GET /forum/index.php?/topic/18790-fromitidgh483987hotmailcom/page__view__findpost__p__21628?s=eafc57480c55000ae38913632f06bc69' HTTP/1.1" 302 - "http://ipb.tw/forum/index.php?/topic/18790-fromitidgh483987hotmailcom/page__view__findpost__p__21628?s=eafc57480c55000ae38913632f06bc69'" "Mozilla/4.0 (compatible; MSIE 6.0)"
58.60.14.236 - - [07/Mar/2010:21:20:57 +0800] "GET /forum/index.php?/calendar/?s=561a958d6c90a57d39087982b57f8273' HTTP/1.1" 200 191724 "http://ipb.tw/forum/index.php?/calendar/?s=561a958d6c90a57d39087982b57f8273'" "Mozilla/4.0 (compatible; MSIE 6.0)"
58.60.14.236 - - [07/Mar/2010:21:20:58 +0800] "GET /forum/index.php?app=core&do=active&module=search&search_filter_app[forums]=1?s=2df023d942bb0395cc95b22f646af7f6' HTTP/1.1" 200 105516 "http://ipb.tw/forum/index.php?app=core&do=active&module=search&search_filter_app[forums]=1?s=2df023d942bb0395cc95b22f646af7f6'" "Mozilla/4.0 (compatible; MSIE 6.0)"
58.60.14.241 - - [07/Mar/2010:21:20:59 +0800] "GET /forum/index.php?/topic/18886-invisionmodding-j30-about-us/?s=eafc57480c55000ae38913632f06bc69' HTTP/1.1" 200 150130 "http://ipb.tw/forum/index.php?/topic/18886-invisionmodding-j30-about-us/?s=eafc57480c55000ae38913632f06bc69'" "Mozilla/4.0 (compatible; MSIE 6.0)"
58.60.14.241 - - [07/Mar/2010:21:20:55 +0800] "GET /forum/index.php?app=forums&do=reply_post&f=21&module=post&qpid=143?s=eafc57480c55000ae38913632f06bc69&section=post&t=131 HTTP/1.1" 200 96862 "http://ipb.tw/forum/index.php?app=forums&do=reply_post&f=21&module=post&qpid=143?s=eafc57480c55000ae38913632f06bc69&section=post&t=131" "Mozilla/4.0 (compatible; MSIE 6.0)"
58.60.14.231 - - [07/Mar/2010:21:21:00 +0800] "GET /forum/index.php?/index?s=e4a2e681abd1beb9426398dc604399fa HTTP/1.1" 200 191704 "http://ipb.tw/forum/index.php?/index?s=e4a2e681abd1beb9426398dc604399fa" "Mozilla/4.0 (compatible; MSIE 6.0)"
58.61.32.55 - - [07/Mar/2010:21:21:04 +0800] "GET /forum/index.php?app=forums&forumid=446&i=1?s=2df023d942bb0395cc95b22f646af7f6&marktype=forum&module=forums&returntoforumid=0&section=markasread HTTP/1.1" 302 - "http://ipb.tw/forum/index.php?app=forums&forumid=446&i=1?s=2df023d942bb0395cc95b22f646af7f6&marktype=forum&module=forums&returntoforumid=0&section=markasread" "Mozilla/4.0 (compatible; MSIE 6.0)"
58.60.14.241 - - [07/Mar/2010:21:21:06 +0800] "GET /forum/index.php?app=forums&forumid=406&i=1?s=561a958d6c90a57d39087982b57f8273&marktype=forum&module=forums&returntoforumid=0&section=markasread HTTP/1.1" 302 - "http://ipb.tw/forum/index.php?app=forums&forumid=406&i=1?s=561a958d6c90a57d39087982b57f8273&marktype=forum&module=forums&returntoforumid=0&section=markasread" "Mozilla/4.0 (compatible; MSIE 6.0)"
58.61.32.55 - - [07/Mar/2010:21:21:02 +0800] "GET /forum/index.php?/forum/384-%E5%A4%9C%E5%B8%82%E9%9B%86%E9%8C%A6/?s=2df023d942bb0395cc95b22f646af7f6 HTTP/1.1" 200 160917 "http://ipb.tw/forum/index.php?/forum/384-%E5%A4%9C%E5%B8%82%E9%9B%86%E9%8C%A6/?s=2df023d942bb0395cc95b22f646af7f6" "Mozilla/4.0 (compatible; MSIE 6.0)"
58.60.14.236 - - [07/Mar/2010:21:21:02 +0800] "GET /forum/index.php?/topic/3457-script-typetextjavascript/page__view__getlastpost?s=561a958d6c90a57d39087982b57f8273' HTTP/1.1" 200 149241 "http://ipb.tw/forum/index.php?/topic/3457-script-typetextjavascript/page__view__getlastpost?s=561a958d6c90a57d39087982b57f8273'" "Mozilla/4.0 (compatible; MSIE 6.0)"
58.60.14.231 - - [07/Mar/2010:21:21:05 +0800] "GET /forum/index.php?/forum/147-%E5%8D%81%E4%BA%8C%E6%9C%88/?s=561a958d6c90a57d39087982b57f8273 HTTP/1.1" 200 153579 "http://ipb.tw/forum/index.php?/forum/147-%E5%8D%81%E4%BA%8C%E6%9C%88/?s=561a958d6c90a57d39087982b57f8273" "Mozilla/4.0 (compatible; MSIE 6.0)"
58.60.14.236 - - [07/Mar/2010:21:21:09 +0800] "GET /forum/index.php?app=downloads&id=18&module=ajax&rating=4?s=eafc57480c55000ae38913632f06bc69'&section=rate HTTP/1.1" 200 12 "http://ipb.tw/forum/index.php?app=downloads&id=18&module=ajax&rating=4?s=eafc57480c55000ae38913632f06bc69'&section=rate" "Mozilla/4.0 (compatible; MSIE 6.0)"
58.60.14.241 - - [07/Mar/2010:21:21:05 +0800] "GET /forum/index.php?/forum/392-%E8%97%9D%E6%96%87%E6%AC%A3%E8%B3%9E/?s=2df023d942bb0395cc95b22f646af7f6 HTTP/1.1" 200 112145 "http://ipb.tw/forum/index.php?/forum/392-%E8%97%9D%E6%96%87%E6%AC%A3%E8%B3%9E/?s=2df023d942bb0395cc95b22f646af7f6" "Mozilla/4.0 (compatible; MSIE 6.0)"
58.61.32.55 - - [07/Mar/2010:21:20:57 +0800] "GET /forum/index.php?s=eafc57480c55000ae38913632f06bc69 HTTP/1.1" 200 191697 "http://ipb.tw/forum/index.php?s=eafc57480c55000ae38913632f06bc69" "Mozilla/4.0 (compatible; MSIE 6.0)"
58.60.14.236 - - [07/Mar/2010:21:21:07 +0800] "GET /forum/index.php?/forum/141-%E5%85%AD%E6%9C%88/?s=561a958d6c90a57d39087982b57f8273 HTTP/1.1" 200 160197 "http://ipb.tw/forum/index.php?/forum/141-%E5%85%AD%E6%9C%88/?s=561a958d6c90a57d39087982b57f8273" "Mozilla/4.0 (compatible; MSIE 6.0)"
58.61.32.55 - - [07/Mar/2010:21:21:09 +0800] "GET /forum/index.php?/forum/397-%E8%B3%BC%E7%89%A9%E5%BF%AB%E5%A0%B1/?s=eafc57480c55000ae38913632f06bc69 HTTP/1.1" 200 136988 "http://ipb.tw/forum/index.php?/forum/397-%E8%B3%BC%E7%89%A9%E5%BF%AB%E5%A0%B1/?s=eafc57480c55000ae38913632f06bc69" "Mozilla/4.0 (compatible; MSIE 6.0)"
58.60.14.231 - - [07/Mar/2010:21:21:09 +0800] "GET /forum/index.php?/user/1532-%E8%A8%B1%E8%93%8B%E5%8A%9F%E9%96%B1/?s=eafc57480c55000ae38913632f06bc69 HTTP/1.1" 200 107665 "http://ipb.tw/forum/index.php?/user/1532-%E8%A8%B1%E8%93%8B%E5%8A%9F%E9%96%B1/?s=eafc57480c55000ae38913632f06bc69" "Mozilla/4.0 (compatible; MSIE 6.0)"
58.60.14.241 - - [07/Mar/2010:21:21:07 +0800] "GET /forum/index.php?/index?s=88f811f1cbb08008198779b6526c8fd1 HTTP/1.1" 200 191704 "http://ipb.tw/forum/index.php?/index?s=88f811f1cbb08008198779b6526c8fd1" "Mozilla/4.0 (compatible; MSIE 6.0)"
58.61.32.55 - - [07/Mar/2010:21:21:02 +0800] "GET /forum/index.php?/topic/18790-fromitidgh483987hotmailcom/page__p__21628 HTTP/1.1" 200 151985 "http://ipb.tw/forum/index.php?/topic/18790-fromitidgh483987hotmailcom/page__p__21628" "Mozilla/4.0 (compatible; MSIE 6.0)"
58.61.32.55 - - [07/Mar/2010:21:21:11 +0800] "GET /forum/index.php?/forum/11-%E5%81%A5%E5%BA%B7%E7%94%9F%E6%B4%BB/?s=eafc57480c55000ae38913632f06bc69 HTTP/1.1" 200 102175 "http://ipb.tw/forum/index.php?/forum/11-%E5%81%A5%E5%BA%B7%E7%94%9F%E6%B4%BB/?s=eafc57480c55000ae38913632f06bc69" "Mozilla/4.0 (compatible; MSIE 6.0)"
58.60.14.231 - - [07/Mar/2010:21:21:11 +0800] "GET /forum/index.php?/ircChat/?s=b9b0d85fb7b4bc835435c0aca4415a6d' HTTP/1.1" 200 101922 "http://ipb.tw/forum/index.php?/ircChat/?s=b9b0d85fb7b4bc835435c0aca4415a6d'" "Mozilla/4.0 (compatible; MSIE 6.0)"
58.60.14.231 - - [07/Mar/2010:21:21:15 +0800] "GET /forum/index.php?app=forums&forumid=446&i=1?s=eafc57480c55000ae38913632f06bc69&marktype=forum&module=forums&returntoforumid=0&section=markasread HTTP/1.1" 302 - "http://ipb.tw/forum/index.php?app=forums&forumid=446&i=1?s=eafc57480c55000ae38913632f06bc69&marktype=forum&module=forums&returntoforumid=0&section=markasread" "Mozilla/4.0 (compatible; MSIE 6.0)"
58.60.14.241 - - [07/Mar/2010:21:21:11 +0800] "GET /forum/index.php?/topic/18882-%E6%89%8B%E6%A9%9Fnokia2730-%E9%9B%BB%E8%85%A6%E7%AB%AF%E5%A5%97%E4%BB%B6%E5%8C%AF%E5%85%A5csv%E9%80%9A%E8%A8%8A%E9%8C%84/page__view__getnewpost?s=eafc57480c55000ae38913632f06bc69' HTTP/1.1" 200 151175 "http://ipb.tw/forum/index.php?/topic/18882-%E6%89%8B%E6%A9%9Fnokia2730-%E9%9B%BB%E8%85%A6%E7%AB%AF%E5%A5%97%E4%BB%B6%E5%8C%AF%E5%85%A5csv%E9%80%9A%E8%A8%8A%E9%8C%84/page__view__getnewpost?s=eafc57480c55000ae38913632f06bc69'" "Mozilla/4.0 (compatible; MSIE 6.0)"
58.61.32.55 - - [07/Mar/2010:21:21:17 +0800] "GET /forum/index.php?app=core&module=task'&s=54b7797587ff9a5c41c26cf4501f9917 HTTP/1.1" 302 - "http://ipb.tw/forum/index.php?app=core&module=task'&s=54b7797587ff9a5c41c26cf4501f9917" "Mozilla/4.0 (compatible; MSIE 6.0)"
58.61.32.55 - - [07/Mar/2010:21:21:19 +0800] "GET /forum HTTP/1.1" 301 284 "http://ipb.tw/forum" "Mozilla/4.0 (compatible; MSIE 6.0)"
58.60.14.241 - - [07/Mar/2010:21:21:09 +0800] "GET /forum/index.php?app=core&module=search?s=b9b0d85fb7b4bc835435c0aca4415a6d' HTTP/1.1" 200 138677 "http://ipb.tw/forum/index.php?app=core&module=search?s=b9b0d85fb7b4bc835435c0aca4415a6d'" "Mozilla/4.0 (compatible; MSIE 6.0)"
......
......
......

kenduest

  • 酷!學園 學長們
  • 俺是博士!
  • *****
  • 文章數: 3675
    • 檢視個人資料
    • http://kenduest.sayya.org
回覆: 這是什樣的攻擊,讓Server幾乎掛點?!
« 回覆 #1 於: 2010-03-09 09:14 »

search engine 爬文 ?

建議把你的論壇搜尋功能限制只有登入會員才可以使用,可以減少更多這類困擾。
I am kenduest - 小州

my website: http://kenduest.sayya.org/

Aeolus

  • 懷疑的國中生
  • **
  • 文章數: 36
  • 性別: 男
  • Aeolus
    • 檢視個人資料
回覆: 這是什樣的攻擊,讓Server幾乎掛點?!
« 回覆 #2 於: 2010-03-09 10:06 »
謝謝回覆.

論壇有管制60秒後才能搜第二次.

引用
搜尋間隔管制為 60 秒,請稍後再試.

twu2

  • 管理員
  • 俺是博士!
  • *****
  • 文章數: 5396
  • 性別: 男
    • 檢視個人資料
    • http://blog.teatime.com.tw/1
回覆: 這是什樣的攻擊,讓Server幾乎掛點?!
« 回覆 #3 於: 2010-03-09 12:36 »
search engine bot 並不是透過你的搜尋功能去查資料的... 它是整個網站都抓.

Aeolus

  • 懷疑的國中生
  • **
  • 文章數: 36
  • 性別: 男
  • Aeolus
    • 檢視個人資料
回覆: 這是什樣的攻擊,讓Server
« 回覆 #4 於: 2010-03-10 06:25 »
論壇常見的幾個bot
Google ( 66.249.91.104 )      MSN/Bing ( 207.46.204.241 )      Yahoo ( 67.195.115.213 )

都不定時來抓資料,都還OK

查一下 http://www.whois365.com/

Google ( 66.249.65.33 )
引用
NetRange: 66.249.64.0 - 66.249.95.255
CIDR: 66.249.64.0/19
NetName: GOOGLE
NetHandle: NET-66-249-64-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.GOOGLE.COM
NameServer: NS2.GOOGLE.COM
NameServer: NS3.GOOGLE.COM
NameServer: NS4.GOOGLE.COM
/var/log/apache2/access.log
引用
[16/Jan/2010:00:58:17 +0800] "GET /forum/index.php?app=forums&module=extras&section=stats&do=who&t=4033 HTTP/1.1" 200 7628 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

MSN/Bing ( 207.46.204.241 )
引用
NetRange: 207.46.0.0 - 207.46.255.255
CIDR: 207.46.0.0/16
NetName: MICROSOFT-GLOBAL-NET
NetHandle: NET-207-46-0-0-1
Parent: NET-207-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.MSFT.NET
NameServer: NS5.MSFT.NET
NameServer: NS2.MSFT.NET
NameServer: NS3.MSFT.NET
NameServer: NS4.MSFT.NET
/var/log/apache2/access.log
引用
[02/Mar/2010:04:04:20 +0800] "GET /forum/index.php?/topic/4133-%e9%bb%91%e9%bb%91%e5%a4%a7%e5%a4%a7%e5%a5%bd%e6%9c%89%e5%95%8f%e9%a1%8c%e5%95%8f%e5%93%a9/ HTTP/1.1" 200 40607 "-" "msnbot/2.0b (+http://search.msn.com/msnbot.htm)"

Yahoo ( 67.195.114.33 )
引用
NetRange: 67.195.0.0 - 67.195.255.255
CIDR: 67.195.0.0/16
NetName: A-YAHOO-US8
NetHandle: NET-67-195-0-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.YAHOO.COM
NameServer: NS2.YAHOO.COM
NameServer: NS3.YAHOO.COM
NameServer: NS4.YAHOO.COM
NameServer: NS5.YAHOO.COM
/var/log/apache2/access.log
引用
[27/Dec/2009:06:07:49 +0800] "GET /robots.txt HTTP/1.0" 404 224 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"

而疑似入侵IP => 58.60.14.231
引用
inetnum: 58.60.0.0 - 58.63.255.255
netname: CHINANET-GD
descr: CHINANET Guangdong province network
descr: China Telecom
descr: No.31,jingrong street
descr: Beijing 100032
country: CN
admin-c: CH93-AP
tech-c: IC83-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-GD
mnt-routes: MAINT-CHINANET-GD
status: ALLOCATED PORTABLE
/var/log/apache2/access.log
引用
[07/Mar/2010:21:56:29 +0800] "GET /forum/index.php?/index?s=b5c56f3455b32aca70e8de481195e40c HTTP/1.1" 200 191704 "http://ipb.tw/forum/index.php?/index?s=b5c56f3455b32aca70e8de481195e40c" "Mozilla/4.0 (compatible; MSIE 6.0)"

入侵IP所查記錄明顯與前三者不同,即使是bot,也非善類,只是覺得應該不是bot.

目前處理方式:
(1)先將網段封鎖 58.60.0.0 - 58.63.255.255
(2)安裝 libapache2-mod-evasive ,
     參考 => http://www.debianadmin.com/how-to-protect-apache-against-dosddos-or-brute-force-attacks.html
     同時依模組所附安裝說明,在http.conf加入
代碼: [選擇]
    <IfModule mod_evasive20.c>
    DOSHashTableSize    3097
    DOSPageCount        2
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
    DOSLogDir "/var/lock/mod_evasive"
   </IfModule>
(3)在iptables中加入
    
代碼: [選擇]
iptables -A FORWARD -i $EXTIF -p tcp --syn -m limit --limit 1/s -j ACCEPT     參考 => http://linux.vbird.org/linux_server/0250simple_firewall.php#local_script
(4)如上述(1)中封鎖網段 58.60.0.0 - 58.63.255.255,只是這樣封鎖,他的目的也是達到了,讓一些IP上不了網站
    也就是說,如果(2),(3)有效,是不是就可以不必封鎖該IP了.

不知是否妥當?

Thanks.
« 上次編輯: 2010-03-10 06:51 由 Aeolus »

Aeolus

  • 懷疑的國中生
  • **
  • 文章數: 36
  • 性別: 男
  • Aeolus
    • 檢視個人資料
回覆: 這是什樣的攻擊,讓Server
« 回覆 #5 於: 2010-03-11 13:44 »
實測後應該有效,可以連下方連結

http://forum.ipb.tw

連上後,按著F5不放 ,一直到出現 Forbidden頁面,一般是5~6次,而等待幾分鐘後再按一次,即可再次正常顯示頁面.
« 上次編輯: 2010-07-11 07:37 由 Aeolus »

Aeolus

  • 懷疑的國中生
  • **
  • 文章數: 36
  • 性別: 男
  • Aeolus
    • 檢視個人資料
回覆: 這是什樣的攻擊,讓Server幾乎掛點?!
« 回覆 #6 於: 2010-07-11 07:46 »
參可此篇文章,再補強,效果好像還不錯,觀察memory平均使用率有降低15%~20%

代碼: [選擇]
<IfModule prefork.c>
StartServers 2
MinSpareServers 3
MaxSpareServers 5
ServerLimit 16
MaxClients 16
MaxRequestsPerChild 400000
</IfModule>