0

I'm getting repeat requests for resources on my server and this is increasing the load greatly. Currently my load is at 2.5ish. I block individual IP addresses causing the problem but eventually the attacker seems to reappear with a different IP. Any ideas?

Here is my server log:

I'm getting repeat requests for '...' and 'GET'

Casey Flynn
  • 217
  • 4
  • 13
  • More details please. – joeqwerty Mar 29 '11 at 17:03
  • 1
    In the past I've been able to control this from PHP scripts by slowing down users who have cookies or who request pages at a certain rate, but this attacker appears to be requesting resources and images outside of regular php scripts. – Casey Flynn Mar 29 '11 at 17:06
  • I'd guess Yes, though we're working with pretty few details. Try isolating a particular request that seems common to the attack, filter the logs for the IPs, feed that into your firewall. If your connection is getting saturated you'll need to contact your ISP or upstream provider(s) (as the case may be). If you're feeling particularly vindictive, `whois` the IPs for abuse e-mail addresses and forward some of the botnet evidence along. – Chris S Mar 29 '11 at 17:19

2 Answers2

2

A loadavg of 2.5 is not necessarily a big deal; it just describes the number of processes that are currently executing or waiting to execute instructions on your system's CPUs. Unless you're seeing high iowait, or processes monopolizing whole CPUs, you're probably just enjoying the standard performance profile of a web server dealing with both real requests and the inevitable script-kiddie vulnerability scans.

It's not worth trying to track these attackers down; they're constantly harvesting new IPs to scan from. Make sure your system is well-secured, and that you have a logging and log-analysis infrastructure in place to alert you when actual security events occur - that is, when one of these attackers actually gains elevated access.

Jeff Albert
  • 1,967
  • 9
  • 14
0

This link I added to with the IPtables script is a good fix to lower the miscreants effect on the Server load.

Getting a lot of hits on my web server and it's taking down my httpd. Possible DDoS?

Community
  • 1
Jonathan Ross
  • 2,173
  • 11
  • 14