First up, check out this question:
Why are external domains appearing in my apache logs?
We're seeing the exact same thing on one of our Debian VPS servers - with one big difference, the regularity of said requests. We're seeing 5000+ requests per minute - sometimes as many as 100 requests per second - all for domains that we don't host - this is a big problem as apache is chomping up gigs of ram then crashing the server.
Ive taken a tail snapshot of the other_vhosts_access.log from apache and uploaded here:
http://www.heavencore.co.uk/filehub/20140411101731_apache_log_tail.txt
Two examples of said log:
vps.XXXXXX.co.uk:80 216.244.68.216 - - [10/Apr/2014:14:57:15 +0000] "GET http://advs.adgorithms.com/ttj?id=2440545 HTTP/1.0" 404 527 "http://www.cashwargames.com/girls-games.htm" "Mozilla/4.0 (compatible; MSIE 5.0; Mac_PowerPC; Alexa Toolbar)"
vps.XXXXXX.co.uk:80 192.157.246.54 - - [10/Apr/2014:14:57:15 +0000] "GET http://ads.yahoo.com/st?ad_type=ad&ad_size=300x250§ion=5452138&pub_url=${PUB_URL} HTTP/1.0" 404 520 "http://www.verlyer.com/?p=866" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru-RU) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5"
Even if we delete all virtual hosts - apache still goes mental replying with 404's to all these requests, and if we configure apache to deny all - it just starts replying with 403's
as a stop gap measure, we've used IPTABLES to block ALL traffic to the server except a few IP addresses of our primary users.
As you can see from the tail log though, these requests are coming from thousands of unique addresses - presumably some botnet has latched on to our server??
How can we stop this attack & re-instate public http access to the server??? (its been going on for over 48 hours now)
The VPS is hosted by a 3rd party and we have no control over the perimeter firewall / hypervisor.
The only thing the 3rd parties support people could recommend was using IPT to block all the IP's - we don't see how that's possible given the vast number of them?
