Meaning of Log File (DDOS)

Question

We are currently facing attacks (probably DDOS) on our server. The incoming network traffic goes from an average of 20Mbps to 1Gbps in just 2-3 minutes. The lines in our log files usually look like:

101.101.101.101 - - [23/Nov/2020:01:01:01 +0200] "GET /wp-content/uploads/image.png HTTP/1.0" 200 425 "https://mypage.com/" "Mozilla/5.0 (iPhone; CPU iPhone OS 14_2 like Mac OS X) AppleWebKit/604.1.15 (KHTML, like Gecko) GSA/100.00 Mobile/15E100 Safari/604.1"

However, in the time frame of the attacks the lines look like:

101.101.101.101 - - [23/Nov/2020:01:01:01 +0200] "GET / HTTP/1.0" 200 18710 "https://www.qq.com" "Mozilla/5.0 (iPhone; CPU iPhone OS 14_2 like Mac OS X) AppleWebKit/604.1.15 (KHTML, like Gecko) GSA/100.00 Mobile/15E100 Safari/604.1"

So instead of my page, some other websites are somehow called. Beside qq.com, the urls reddit.com, baido.com and some others are called thousands of times.

So to my questions:

• What does the second entry exactly mean and how does this produce traffic on our server?
• How can we prevent such requests (firewall, fail2ban etc are already set)?

Answer 1

Check in your web server what log format is configured and you will know what each field from each line in the log file is meant to represent.

See for instance the fields Apache http can log: https://httpd.apache.org/docs/2.4/mod/mod_log_config.html

Note that some fields are filled with data your server provides, but some fields are filled with data collected from what the client includes in a request. That client data can be authentic but also crafted by whoever sends the request and though interesting it may not be reliable.

Web servers commonly log the client headers for the Referrer and the User-Agent browser identification string. In valid traffic those will be mostly genuine and represent how users found your content and what browser they are using to visit your site.

Good to know: even for valid traffic some real browsers and plugins allow tuning of their identity (mobile or not and other ways to hide the OS and browser) or will simply omit Referrer headers to prevent tracking.