Pattern matching odd HTTP request
Jake Khuon
khuon at GBLX.Net
Tue Sep 18 22:30:16 UTC 2001
### On Wed, 19 Sep 2001 00:20:19 +0200, "Karsten W. Rohrbach"
### <karsten at rohrbach.de> casually decided to expound upon
### mike at biggorilla.com the following thoughts about "Re: Pattern matching
### odd HTTP request":
KWR> mike at biggorilla.com(mike at biggorilla.com)@2001.09.18 17:03:44 +0000:
KWR> [...]
KWR> > Doesn't seem new...
KWR> >=20
KWR> > 195.188.192.18 - - [13/Sep/1999:02:23:43 -0500] "-" 408 - "-" "-"
KWR> > 195.188.192.18 - - [14/Sep/1999:02:18:54 -0500] "-" 408 - "-" "-"
KWR> >=20
KWR> > But just a little more increased.
KWR>
KWR> --- rfc2616 - http 1.1:
KWR> 10.4.9 408 Request Timeout
KWR>
KWR> The client did not produce a request within the time that the server
KWR> was prepared to wait. The client MAY repeat the request without
KWR> modifications at any later time.
KWR> ---
KWR>
KWR> take care,
Yes... but when you're seeing this:
...
208.178.31.134 - - [18/Sep/2001:15:22:21 -0700] "-" 408 -
208.178.176.105 - - [18/Sep/2001:15:22:23 -0700] "-" 408 -
208.178.47.36 - - [18/Sep/2001:15:23:19 -0700] "-" 408 -
208.178.144.36 - - [18/Sep/2001:15:23:30 -0700] "-" 408 -
208.178.120.13 - - [18/Sep/2001:15:23:37 -0700] "-" 408 -
208.178.31.138 - - [18/Sep/2001:15:23:42 -0700] "-" 408 -
208.35.212.156 - - [18/Sep/2001:15:23:49 -0700] "-" 408 -
208.178.176.105 - - [18/Sep/2001:15:23:49 -0700] "-" 408 -
208.178.176.105 - - [18/Sep/2001:15:23:49 -0700] "-" 408 -
208.178.31.134 - - [18/Sep/2001:15:23:51 -0700] "-" 408 -
208.178.176.105 - - [18/Sep/2001:15:23:52 -0700] "-" 408 -
208.178.47.36 - - [18/Sep/2001:15:24:49 -0700] "-" 408 -
208.178.144.36 - - [18/Sep/2001:15:25:00 -0700] "-" 408 -
208.178.120.13 - - [18/Sep/2001:15:25:07 -0700] "-" 408 -
208.178.31.138 - - [18/Sep/2001:15:25:12 -0700] "-" 408 -
208.178.176.105 - - [18/Sep/2001:15:25:18 -0700] "-" 408 -
208.178.176.105 - - [18/Sep/2001:15:25:19 -0700] "-" 408 -
208.35.212.156 - - [18/Sep/2001:15:25:20 -0700] "-" 408 -
208.178.31.134 - - [18/Sep/2001:15:25:22 -0700] "-" 408 -
208.178.176.105 - - [18/Sep/2001:15:25:23 -0700] "-" 408 -
208.178.47.36 - - [18/Sep/2001:15:26:19 -0700] "-" 408 -
208.178.120.13 - - [18/Sep/2001:15:26:37 -0700] "-" 408 -
...
You start to suspect a DDOS port-flood attack. It's certainly causing me to
spawn a lot of httpds and occupying a lot of ports.
--
/*====================[ Jake Khuon <khuon at GBLX.Net> ]======================+
| Chief Global Data Network Management Architect /~_ |_ () |3 /-\ |_ |
| VOX: +1 (425) 391-2262 Fax: +1 (425) 391-6772 \_| C R O S S I N G |
+=============[ 900 4th. Ave., Floor 12, Seattle, WA 98164 ]=============*/
More information about the NANOG
mailing list