my IP being spammed with HTTP calls.

Hi Folks

Please help with this tricky problem.
I have an Apache webserver, working together with tomcat,
serving 3 virtual hosts. In my http.conf it looks something like:

-----------------------------------
NameVirtualHost *:80

<VirtualHost *:80>
ServerName default.example.com
ServerAlias default.example.com
DocumentRoot /var/www/html/default_page
ServerAdmin admin@example.net
ErrorLog logs/default_example_com-error_log
CustomLog logs/default_example_com-access_log common
</VirtualHost>

<VirtualHost *:80>
ServerName host1.net
ServerAlias host1.net *.host1.net
DocumentRoot /mnt/sda1/somepath
ServerAdmin admin@host1.net
ErrorLog logs/host1.net-error_log
CustomLog logs/host1.net-access_log common
RewriteEngine on
RewriteRule ^(.*\.jsp)$ ajp://localhost:8009/$1 [P,L]
</VirtualHost>

<VirtualHost *:80>
ServerName host2.se
ServerAlias host2.se *.host2.se
DocumentRoot /mnt/sda1/somepath
ServerAdmin admin@host2.net
ErrorLog logs/host2.se-error_log
CustomLog logs/host2.se-access_log common
RewriteEngine on
RewriteRule ^(.*\.jsp)$ ajp://localhost:8009/$1 [P,L]
</VirtualHost>
-----------------------------------

This works fine.
However. The default host, that is the first one, is spammed with a lot of junk calls (requests probably addressed to my IP, maybe even randomly!?).
Right now, every hour, I scan the log (default_example_com-access_log) and add all the calling IPs to the /etc/sysconfig/iptables, preventing them from spamming me again.
However, every hour, 100-200 new IPs spamming me are found, and the iptables grows very fast. I figure more people probably have had this issue?

Examples of the junk calls reaching me (default_example_com-access_log):
-----------------
219.133.9.113 - - [18/Oct/2008:10:11:13 +0200] "GET http://www.zk365.us/ HTTP/1.0" 200 28725
60.180.222.50 - - [18/Oct/2008:10:11:18 +0200] "GET http://www.google.com/intl/zh-CN/ HTTP/1.1" 200 5518
219.133.9.113 - - [18/Oct/2008:10:11:36 +0200] "GET http://www.zk365.us/ HTTP/1.0" 200 28725
77.35.28.194 - - [18/Oct/2008:10:11:38 +0200] "GET http://search.yahoo.com/ HTTP/1.0" 200 6157
77.120.67.25 - - [18/Oct/2008:10:11:39 +0200] "GET http://www.nassc.com/pr.php HTTP/1.1" 200 1325
77.35.28.194 - - [18/Oct/2008:10:11:39 +0200] "GET http://images.google.com/ HTTP/1.0" 200 5922
41.233.192.187 - - [18/Oct/2008:10:11:39 +0200] "GET http://images.google.com/ HTTP/1.1" 200 5916
77.35.28.194 - - [18/Oct/2008:10:11:40 +0200] "CONNECT www.microsoft.com:443 HTTP/1.0" 200 -
41.233.192.187 - - [18/Oct/2008:10:11:40 +0200] "GET http://www.aol.com/ HTTP/1.1" 200 68207
41.233.192.187 - - [18/Oct/2008:10:11:42 +0200] "CONNECT www.microsoft.com:443 HTTP/1.0" 200 -
61.140.189.187 - - [18/Oct/2008:10:11:43 +0200] "GET http://web.51.la/go.asp?we=A-Free-Service-for-W....
=1024,768&referrer=http%3A//news.163.com/&vpage=http%3A//www.piaoge.com/ HTTP/1.1" 200 -
92.124.179.63 - - [18/Oct/2008:10:11:42 +0200] "CONNECT 205.188.179.233:443 HTTP/1.0" 200 -
74.32.195.251 - - [18/Oct/2008:10:11:52 +0200] "GET http://n10.login.re3.yahoo.com/config/isp_...
219.133.9.113 - - [18/Oct/2008:10:11:54 +0200] "GET http://www.zk365.us/ HTTP/1.0" 200 28725
-----------------

Observe, non of those calls are actually addressed to my server, maybe someone (robots) tries to relay calls through my server!? I'll attach the access-log.
Anyone who've had similar problem and maybe found a smart solution? My current solution seems to take quite some bandwidth (as soon as I switch the server off, I can surf as normal, I have 8 MB uplink and 8 MB downlink).
Grateful for any help
Cheers
karnbo

 

These are not normal requests. A normal request starts with a slash and not a fully qualified URL:

GET /index.php

Code (markup):

Since they are malformed requests we can detect and reject the request.

You can add a rewrite rule that will catch these types of requests and send them a 403 response.

Something like this:

RewriteCond %{THE_REQUEST} (GET|CONNECT)\ [^/] [NC]
RewriteRule .* - [F]

Code (markup):

You may need to add extra request methods if they are using more than just GET and CONNECT.

The advantage of this is that it will use much less CPU time than invoking PHP to generate your normal pages and hopefully significantly less bandwidth because a 403 response is pretty small compared to your normal pages.

Another tip might be to check how long each IP address keeps coming back for once it is added to the firewall. If they only keep trying for an hour or two then remove them from the block list after three hours. That should keep your IPTables configuration a bit smaller.

Lastly, mak sure you are dropping the connections and not rejecting them. (i.e -j DROP instead of -j REJECT). Dropping the connection doesn't send any kind of response which ties up resources on their end for a period of time which hurts the spammers. Rejecting the connection sends a response which means they can immediately end the connection and start a new one . Making life more difficult for spammers is good.

 

Thanks a lot. It works

 

Another point here is that using DROP instead of REJECT helps to lower the bandwidth used on your end since you aren't replying to the spammer, that's less outgoing packets on your interface. Using DROP vice REJECT is beneficial from that standpoint as well.

 

Does the NC mean to drop or ?? the connection?

Sorry to be a nuisance but can you give an example of how this could be done. One last question. Can I place the above in my httpd.conf so it will work for all the virtual servers I have on my server?

Thanks,

acl

 

You can ban an IP in iptables with:

iptables -I INPUT -s 25.55.55.55 -j DROP

Replacing 25.55.55.55 with the IP you want banned of course

 

I think that your IP has a loophole and is being used as proxy..

To test this just put your ip and port 80 in browser as proxy and try to visit another site.. If this is the case you need to fix so that it won't act as proxy

Regards

 

I'm trying the above suggestion and also added. Now I have another log file to check

RewriteLogLevel 3
RewriteLog /usr/local/apache/domlogs/angelescitylife.com-rewrite

Thanks

acl

 

I reccomend installing csf firewall and mod security , and then add mod security rules.

 

optimizare! Tnx. I tried your trick to see if I had my server configured as proxy, but no success. Today I was just looking through my httpd.conf file - and I saw that Proxy was enabled. I removed it and it solved the problem. This was definatly my main problem!Thanks!
This proxy thing cost me a lot of pain...

 

try to use openvpn or pptpd