mod_rewrite and access.log

Question

My site recently came under a DOS attack, which seems to have been mostly fixed by installing mod-evasive (which is fine)

I wanted to find the IP which was used for the attack so naturally I went to the access.log only to find hundreds of lines of this:

127.0.0.1 - - [08/Oct/2011:22:08:33 +0200] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.2.9 (Debian) PHP/5.3.8-1~dotdeb.1 with Suhosin-Patch (internal dummy connection)"
127.0.0.1 - - [08/Oct/2011:22:09:22 +0200] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.2.9 (Debian) PHP/5.3.8-1~dotdeb.1 with Suhosin-Patch (internal dummy connection)"
127.0.0.1 - - [08/Oct/2011:22:09:23 +0200] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.2.9 (Debian) PHP/5.3.8-1~dotdeb.1 with Suhosin-Patch (internal dummy connection)"
127.0.0.1 - - [08/Oct/2011:22:09:24 +0200] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.2.9 (Debian) PHP/5.3.8-1~dotdeb.1 with Suhosin-Patch (internal dummy connection)"

I'm pretty sure this is because I'm using mod_rewrite, in short I'd like apache to log the pre-redirection request instead of the internally redirected request - does anyone know if this is possible?

possible duplicate of [Everything You Ever Wanted to Know about Mod_Rewrite Rules but Were Afraid to Ask?](http://serverfault.com/questions/214512/everything-you-ever-wanted-to-know-about-mod-rewrite-rules-but-were-afraid-to-ask) — GregD, Oct 09 '11 at 15:29

score 2 · Answer 1 · answered Oct 09 '11 at 15:25

These are internal requests by the apache parent process to keep child processes alive and to generate new child processes when load dictates new children are required.

Depending upon the type of denial of service attack, you're not going to have much luck getting the IP from the access log. The access log only logs requests--many DoS attacks don't actually submit HTTP requests. Some do.

You can probably get what you want out of the RewriteLog but that isn't normally something that would be included in the access log. The access log represents logging of requests once processing is completed (whether successful or not). You may get the data you're looking for from mod_log_forensic but I don't know if people would recommend using this module for day-to-day logging of requests.

score 2 · Answer 2 · answered Oct 10 '11 at 23:21

My site recently came under a DOS attack

How did you determine that your server is under attack?

(internal dummy connection)

I'm pretty sure this is because I'm using mod_rewrite,

No, these are requests which Apache sends back to itself to wakeup processes that are listening for new connections. Take a look at this if you want to ignore them.

I wanted to find the IP which was used for the attack

You can also use netstat to count the connections to port 80, something like this:

netstat -n | grep :80 | awk '{ print $5 }' | cut -d: -f1 | sort | uniq -c | sort -rn | head

score 1 · Answer 3 · answered Oct 17 '11 at 12:22

1

Those connections haven't any relation with mod_rewrite, and you shouldn't worry about it.

http://wiki.apache.org/httpd/InternalDummyConnection

answered Oct 17 '11 at 12:22

Giovanni Toraldo

2,557
18
27

score 0 · Answer 4 · answered Oct 17 '11 at 15:54

I would recommend to study your access log once again if you want to find attacker. Some log analyzers may save much time for you. I use ddosViewer viewer for checking through the logs though there are many of such programs in the web. I know that this site is in Russian but it's so good and simple to use that I could not help recommending it for your problem.

mod_rewrite and access.log

4 Answers4