I am curious as to if this is possible that the three step of the TCP
connection is bypass somehow, or not completed when it is connecting
directly to the apache server on OpenBSD? I wouldn't think so, but may
be I am missing something or not understanding something here.
I am asking as I have what I would consider an attack to my web servers
that keep growing by the day and that started a few weeks ago. May be
something else as well, but with the logs I collected so far I would
think either an attack from a webbot network of some sort, or an attack
from a source of spoof IP's.
Why the last possibility? Well, I see always the same thing in the logs
where multiple sources are requesting all the same valid URL (shouldn't
be much traffic on it as it is 2+ years old) but this comes a lots.
If that was a normal browser, the object of the page would be requested
as well. Images, etc. But they are not. Only the main URL and the
content is return, minus other content. So, if that's a scripts, then it
doesn't process the content of the page. Or if that's a spoof IP's then
obviously there isn't a valid connection to request the additional
content. However, to do this, it would mean that the spoof IP's access
the web server, find, but then I thought that before the content was
sent, the three step handshake needs to be completed and if so, then
that's not any spoof IP's, but real DDoS attack.
Now, I collected data for the last 6 hours to see and I am up to 5000+
sources IP's for that and it keep growing.
What puzzle me a bit is that I get ALWAYS the same informations in the
logs as the OS, browswer, etc. Only the source of the IP change.
Here is a sample of the log entry:
200.82.74.176 - - [23/Aug/2006:12:42:37 -0400] "GET
/events/index.php?EventID=58 HTTP/1.1" 200 5 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
Always the same, no matter where it is from, except the time obviously
and the IP.
In all cases, the content is not sent.
Also not here that to reduce the impact, I simply wrote a script that
when this specific URL is requested, stop the processing and sent empty
data, so that's why you see the 5 bytes in size here, oppose to the real
page that was about 450K. I also know this is not a real request as I
moved the page to a different locations and nothing valid is there, but
the same level of request keep coming and increasing each day as well as
they were constantly for the last few weeks.
I was thinking to use PF SYNC Proxy to stop this if that was a spoof
IP's, but if I understand PF and the man page properly, CARP is consider
to be a bridge operation I guess as if I turn up the SYNC Proxy on the
real IP fo the interface, obviously it work well, but if I try to turn
it on the CARP IP, I get the starting step:
PROXY:DST
SYN_SENT:CLOSED
But never does it go to the ESTABLISHED:ESTABLISHED state like it would
on the real interface.
So, I guess SYNC Proxy on CARP is not allow right?
I can block that specific URL in the httpd.conf with MOD_redirect, but I
was thinking to find a better way via PF if possible and if that's a
spoof IP's.
I also wanted to find the real source of the attack if that's the case,
but also I dont' think I can at this time.
So, it's interesting, but also I am looking at some suggestions as I am
running out of ideas and may be I am not thinking of all the possibility
here.
I also thought it could have been proxy at the source as proxy will
check if the page changed and not call all the images, etc if not but
served them from local cache. Again I excluded this as how could it be
that every proxy would offer the same signature. So, I have to exclude
that as a possibility.
What I am left with is two choice.
Either spoof source that I could stop with Sync Proxy if some how I
could make it work on CARP interface, or a DDoS attack that keep growing
and then if so, I will need to think of an efficient way to deal with it.
Not a problem yet anyway as the systems really are built for HUGE
traffic, so it does have plenty of headroom, but still I don't like
playing with fire and obviously this attack, or what ever it is, keep
growing each day!
Any feedback or ideas would be welcome. If none, that's fine too as I am
not stuck yet anyway, but this sure puzzle me and trigger my interest
obviously.
Thanks and sorry for the long post. I left plenty out as to try to put
only relevant informations I think.
Regards,
Daniel
