7

My Apache web-server on Linux is being flooded by massive requests for a non-existent file. The immediate impact is the rapid growth of the access & error log. I already took care of this by not logging these requests (if it matched the particular string.). We're talking about 40 to 50 requests per second from multiple IP addreses (for the same file).

I initially thought about it being a botnet but I believe it's some script-kiddie spoofing the source ip. I'm running iptables on the server and I was wondering, how these packets reached the application layer (the HTTP server) bypassing the TCP/IP initial handshake? If I have:

--Default Policy for INPUT chain is to DROP
<snip>
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
<...>
<snip>
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

...shouldn't the SYN/ACK my server responds - after an initial connection request- be sent to the spoofed ip? And therefore lost? And if packets are crafted , as to appear to be from an established connection, shouldn'the state-tracking mechanism of netfilter handle this (via the RELATED,ESTABLISHED line above) and recognize them as not part of an established session and therefore DROPPING them (via the default policy: DROP)?

Thanks in advance, Craconia

p.d. the requests are coming from valid internet addreses.

  • 1
    Update: Thank you all who responded. It turned out to be GENUINE traffic. The culprit was some code (and some javascript) making references for this file (that appeared to be coming from EVERYWHERE on the site). My main concern was how was possible to spoof an ip and initiate and actual TCP/IP handshake (what I thought was happening) but now i know it wasn't so I'm fine with iptables again :). thanks. –  Nov 08 '10 at 17:08

3 Answers3

8

Even if they spoof the source IP the SYN/ACK TCP handshake is required before a connection can be made to Apache. This efficiently prevents a spoofed TCP connection. So, you can be pretty sure all connections are made from the IP addresses you can see in the logs.

A bot net or open proxy is a more likely culpit. That or a vulnerability in a webpage somewhere. A classic exploit is embedding a link to a large object on your webserver in the HTML of a website, making all clients hit your webserver trying to fetch the object from your server...

Your IPTABLES rules does make sense now ;)

pehrs
  • 8,749
  • 29
  • 46
  • 1
    There is nothing wrong with those `iptables` rules. They make perfect sense in the context of a DROP policy on the INPUT chain. I do agree with your explanation of why the three-way TCP handshake practically eliminates spoofed TCP connections. – Steven Monday Nov 08 '10 at 16:24
  • I must have gotten confused by the explanations of what the rules were intended to do so I missed the default rule. Thanks for pointing it out. I updated the post. – pehrs Nov 08 '10 at 16:33
  • +1 for your edited post. – Steven Monday Nov 08 '10 at 16:53
  • Thanks pehrs. I updated the question with the final verdict, kind of like the link exploit you mentioned :) –  Nov 08 '10 at 17:05
5

Your iptables rules are fine. There is nothing more you can really do in the context of your firewall, except to ensure that you're not being caught by someone using source-routing. There is a setting in the Linux kernel called the rp_filter (reverse-path filter) that you can turn on to block packets that specify a source route. Since source routing is almost never used outside diagnostic contexts, it is safe to block such packets.

Most Linux systems have /etc/sysctl.conf, which contains kernel settings. Add the following lines to that file:

net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1

and then reboot to ensure these variables are set. Alternatively, you can set them at runtime on your individual network interfaces by the usual means, e.g.

echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/eth1/rp_filter
...

or

sysctl -w net.ipv4.conf.eth0.rp_filter=1
sysctl -w net.ipv4.conf.eth1.rp_filter=1
...
Steven Monday
  • 13,019
  • 4
  • 35
  • 45
  • Thanks Steven. I never thought about source routing; that's a good one. I updated the question. –  Nov 08 '10 at 17:03
1

How did you eliminate the possibility of a botnet?

Could the attacker be using IP Source Routing?


from above URL

Unfortunately, source routing is often abused by malicious users on the Internet (and elsewhere), and used to make a machine (A), think it is talking to a different machine (B), when it is really talking to a third machine (C). This means that C has control over B's ip address for some purposes.

According to a Microsoft article

A remote attacker might seek to access a UNIX system protected with TCP wrappers, or a Windows NT Internet Information Server (IIS) protected by an access list based on source addresses. If the attacker simply spoofs one of the permitted source addresses, the attacker may never get a response. However, if the attacker both spoofs an address and sets the loose-source-routing option to force the response to return to the attacker's network, the attack can succeed.

(my emphasis)

RedGrittyBrick
  • 3,792
  • 1
  • 16
  • 21