brent timothy saner on 27 Apr 2010 18:49:23 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Denial of Service in Apache log?

Mod_evasive may be able to do something to help this. And get varnish running over it to help, just in case.

(lack of GPG due to message sent via blackberry device)

-----Original Message-----
From: Eric <>
Date: Tue, 27 Apr 2010 21:23:54 
To: Philadelphia Linux User's Group Discussion List<>
Subject: [PLUG] Denial of Service in Apache log?

I see the following request in the apache access log for a web site that I'm
working on: - - [27/Apr/2010:13:51:09 -0400] "GET /images/greenEdge_05.png
HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
GTB6.4; .NET CLR 1.1.4322; .NET CLR 2.0.50727; MS-RTC LM 8; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)"

So far so good... it's a 304 indicating the image file "greenEdge_05.png" has
not changed.

Weirdness alert!!!.....
There are 8788 of these requests from the same IP address in the space of about
1140 seconds.

I see identical blocks of thousands of requests for the same greenEdge_05.png
file from other (random?) IPs - perhaps once or twice a day.

I have a hard time believing that some part of the html/css/javascript is
causing this. (I did not write said html/css/javascript BTW.)

Is this some kind of stupid DOS attack?
Is there a way to tell Apache to stop answering after the first few hundred
repeated requests in a minute?  :-)

#  Eric Lucas
#                "Oh, I have slipped the surly bond of earth
#                 And danced the skies on laughter-silvered wings...
#                                        -- John Gillespie Magee Jr
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --