Apache access.log flood with GET ...HTTP/1.1" requests

Question

I have a server with Ubuntu 14.04, laravel 5.2 framework.

On the last 24 hours somebody continously send flood requests from different ip adresses as shown below (log/apache2/access.log):

  198.46.157.112 - - [18/Oct/2016:17:44:04 +0100] "GET /choi-ads/test_44022 HTTP/1.1" 403 6032 "http://ki****" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36"
  175.232.51.53 - - [18/Oct/2016:17:44:04 +0100] "GET /choi-ads/test_44022 HTTP/1.1" 500 47902 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.2 Safari/537.36"
  212.4.138.94 - - [18/Oct/2016:17:44:05 +0100] "GET /choi-ads/test_44022 HTTP/1.1" 403 6086 "http://buynew******" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36"
  139.0.51.221 - - [18/Oct/2016:17:44:05 +0100] "GET /choi-ads/test_44022 HTTP/1.1" 403 6086 "http://buynew*****" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/55.2.126 Chrome/49.2.2623.126 Safari/537.36"

I created a filter on fail2ban service to ban those ip addresses, but the requests contiue from different ip's. Until now i have 1800 ip's banned.

Do you have any idea how can i efficiently block these requests?

score 2 · Answer 1 · answered Oct 19 '16 at 02:38

2

By looking at The logs you provide request URI. and UA are same in all requests and it's always better to block on basis of common attack vector

So make block conditions using

URI AND UA and other request specific parameter

answered Oct 19 '16 at 02:38

Arjun sharma

605
4
9

Apache access.log flood with GET ...HTTP/1.1" requests

1 Answers1