Try modsecurity, it should block invalid URI On Mon, Sep 22, 2008 at 8:08 AM, NeMiX <[EMAIL PROTECTED]> wrote:
> Hi there, > > > > since last week we´ve got a little problem with our Webserverfarm. > > We get some strange Request from some Dial-Up Accounts from Europe > (T-Online; Telefonica; Orange...): > > > > Sep 21 22:47:35 logger: [Sun Sep 21 22:47:35 2008] [error] [client > 87.183.65.xx] Invalid URI in request GET 347905 HTTP/1.0 Sep 21 22:47:35 > logger: [Sun Sep 21 22:47:35 2008] [error] [client 87.183.65.xx] Invalid URI > in request GET 341922 HTTP/1.0 > > > > This strange Request (GET 347905 HTTP/1.0 ) pass our Firewall (because it´s > normal HTTP), goes to our Load balancer and then to our Webserver. > > > > Only 1 Client make about 80-100 strange Request per Minute and we get a > peak on our Webserverfarm and finally after 5 Minutes the Webserver(s) get > out of memory: > > > > Out of Memory: Kill process 12082 (apache) score 199722 and children. > > Out of memory: Killed process 19435 (apache). > > > > If we get a "DDOS" we make a tcpdump and count the IPs (maximum 8 Dial Up > Accounts) to block them on our Firewall. > > > > I don´t find any about this strange request on Google or some security > boards. > > > > Is this a new kind of DDOS or just kiddy stuff? If someone have some more > information about this strange Request/DDOS it would be very nice if he can > send this to me. > > > > Kind Regards > > > > -- > > Andre Braun, IT Manager > > > > Turtle Entertainment GmbH > > > > > > > > > -- Best Regards, Stephen
