2

This night, I've noticed nginx was not responding to requests. After some investigation, I found that it was using 100% of the CPU and error.log was full of messages like this one:

2013/05/28 00:11:31 [alert] 31211#0: accept() failed (24: Too many open files)

But more importantly, checking access.log discovered requests like this one:

193.169.124.92 - - [28/May/2013:00:11:46 +0300] "h50bno34mx9943tz0i2lvhpq8um396v66k4oosu0l78e8q3x0gz4up5a57h744z24y7l4y27q6f9731zgg9jhv536ny9n7nl25p4t4885luo4148gu8ha18yu9eqvir1qr771k959hm6vzqkv45i790dy3bl3dcjqdi6o52kwp31zxkvb229sb67ee8l24534067365l5xy1e3t5h368ek9681cvw907463s8t06m1u09x7fce1zt192tjod9e9enp279203liw50oz7ij94i7gv6921kgv74onc56dh4933r4agaxfwaaq2q45w345846kkxy21w557yxv249j71803frw53j080fmlm0510ae0m6p238d23junzma6y6q6x762a4358mdxc57i4lnh4ei1810y040hzc02m5ha3g5e7s058os5px399f24988a429yd3g36090x524u3ep1n0wpjeny533859dl837358w9u74y3qlr24f565572se7qw914y4ed1gugx711bgb5145232h05kf1vphr6c2ycc313hk664ldwgx707t06k3gf79345770n0t050e97c966y7925z06725f7ph9126yiv22u96d7fsugjagilc09670kts5h7w90f33hwptdjp27u1n0o34028n8j2z1474h0au7sda41z654s0uoqjd1ehji7101862we13srsz5xb1gf11z91t5jc3r4c447u5d018h9s3666cb3g5pts5120rt5fe7g598bnxcaf506y213de4lalsy51d80dg6wncw571ys5466wy28078js27y1ren6ph75jlq54h86su6f2765b1it0h21mp6h6vu5fzk0q75q1d2ad6z4eo6hs44885xt6f4io98xhgd21h9178qr0r43019ek570to59p99i3bxq39mro6qi02wzb92lx614r247rx35x6q191u0iq1wrlp7c21c5u1m30j14c5g57fk91by06896m3" 400 173 "-" "-"

What would you suggest? How to prevent this types of attacks? Is this a known pattern?

UPD. I now can say the requests were sent from about 50 IP addresses for about 20 minutes. There were 2510 requests all in all. That's what I got from nginx logs. I suppose not all the requests were logged. And I don't see requests like this before in the logs. (I have logs since 6th Apr).

x-yuri
  • 1,845
  • 1
  • 22
  • 27
  • 1
    Are you certain this was an attack or just a lot of traffic? If your system is limiting your number of open files, this could be a normal error. What evidence do you have of a DDoS? – jeffatrackaid May 28 '13 at 17:57
  • What are those requests, discovered in access.log then? Normally, they would have something like "GET /path/to/file HTTP/1.1". Also, my colleagues reported enormous trafic on eth0, about 1 Gb/sec. – x-yuri May 28 '13 at 18:18
  • Do you really have a 1Gb/s pipe to where someone might attack you from? jeffatackraid is correct in saying that you should start by eliminating the noise. – symcbean May 28 '13 at 20:10
  • My hoster says it provides "440 Gbit Bandwidth". Anyway, those requests are malformed. And I now can say they were sent from about 50 IP addresses for about 20 minutes. There were 2510 requests all in all. That's what I got from nginx logs. I suppose not all the requests were logged. And I don't see requests like this before in the logs. – x-yuri May 28 '13 at 21:46

0 Answers0