Blocking Bogus Traffic - HELP!
This is a discussion on Blocking Bogus Traffic - HELP! within the Apache Web Server forums, part of the Web Server and Related Forums category; I am getting loads of bogus traffic, almost to the point of it being an attack of some sort. ALL ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-15-2008
|
|||
|
|||
Blocking Bogus Traffic - HELP!
I am getting loads of bogus traffic, almost to the point of it being an
attack of some sort. ALL of this traffic is coming from Macintosh computers. At any given time I see from 1000 to 3000 connections to my server. Here is just an example of what I am seeing: 84.82.219.72 - - [15/Jan/2008:08:47:35 -0600] "GET /? HTTP/1.0" 302 294 "-" "Mozilla/5.0 (Macintosh; VJF; PPC Mac OS X; en-US) AppleWebKit/786.5 (KHTML, like Geco, Safari) OmniWeb/v001.57iles" 151.48.65.230 - - [15/Jan/2008:08:47:35 -0600] "GET /? HTTP/1.0" 302 295 "-" "Mozilla/5.0 (Macintosh; RSS; PPC Mac OS X; en-US) AppleWebKit/365.2 (KHTML, like Geco, Safari) OmniWeb/v707.20m\\QTJava.z\x81" 79.33.253.72 - - [15/Jan/2008:08:47:35 -0600] "GET /? HTTP/1.1" 302 292 "-" "Mozilla/5.0 (Macintosh; PNM; PPC Mac OS X; en-US) AppleWebKit/84U.7 (KHTML, like Geco, Safari) OmniWeb/vP41.SG" 82.53.117.51 - - [15/Jan/2008:08:47:35 -0600] "GET /? HTTP/1.0" 302 294 "-" "Mozilla/5.0 (Macintosh; MNP; PPC Mac OS X; en-US) AppleWebKit/368.0 (KHTML, like Geco, Safari) OmniWeb/v150.57i" 77.179.147.53 - - [15/Jan/2008:08:47:35 -0600] "GET /? HTTP/1.0" 302 295 "-" "Mozilla/5.0 (Macintosh; OUN; PPC Mac OS X; en-US) AppleWebKit/277.0 (KHTML, like Geco, Safari) OmniWeb/v730.13\\WINDOWS;C\x81" 89.210.201.16 - - [15/Jan/2008:08:47:35 -0600] "GET /? HTTP/1.1" 302 293 "-" "Mozilla/5.0 (Macintosh;" 200.56.185.187 - - [15/Jan/2008:08:47:35 -0600] "GET /? HTTP/1.1" 302 294 "-" "Mozilla/5.0 (Macintosh; X2K; PPC Mac OS X; en-US) AppleWebKit/1DM.3 (KHTML, like Geco, Safari) OmniWeb/vA46.BA" 83.18.24.186 - - [15/Jan/2008:08:47:36 -0600] "GET /? HTTP/1.0" 302 294 "-" "Mozilla/5.0 (Macintosh; ZWV; PPC Mac OS X; en-US) AppleWebKit/527.7 (KHTML, like Geco, Safari) OmniWeb/v761.86Files" 189.136.3.159 - - [15/Jan/2008:08:47:36 -0600] "GET /?f=* HTTP/1.0" 302 295 "-" "Mozilla/5.0 (Macintosh; AXJ; PPC Mac OS X; en-US) AppleWebKit/385.6 (KHTML, like Geco, Safari) OmniWeb/v620.66QuickTime\\\x81" 83.167.112.58 - - [15/Jan/2008:08:47:36 -0600] "GET /? HTTP/1.1" 302 293 "-" "Mozilla/5.0 (Macintosh; 0X1; PPC Mac OS X; en-US) AppleWebKit/28G.4 (KHTML, like Geco, Safari) OmniWeb/v347.AW" 77.178.29.158 - - [15/Jan/2008:08:47:36 -0600] "GET /? HTTP/1.0" 302 295 "-" "Mozilla/5.0 (Macintosh; RNO; PPC Mac OS X; en-US) AppleWebKit/586.4 (KHTML, like Geco, Safari) OmniWeb/v331.85temDrive=C\x81" 62.197.85.201 - - [15/Jan/2008:08:47:36 -0600] "GET /? HTTP/1.1" 302 293 "-" "Mozilla/5.0 (Macintosh; BL1; PPC Mac OS X; en-US) AppleWebKit/7MD.0 (KHTML, like Geco, Safari) OmniWeb/v875.BE" 212.175.245.69 - - [15/Jan/2008:08:47:36 -0600] "GET /? HTTP/1.1" 302 294 "-" "Mozilla/5.0 (Macintosh; SAW; PPC Mac OS X; en-US) AppleWebKit/710.6 (KHTML, like Geco, Safari) OmniWeb/v165.A8" 85.20.132.115 - - [15/Jan/2008:08:47:36 -0600] "GET /? HTTP/1.0" 302 295 "-" "Mozilla/5.0 (Macintosh; ZVQ; PPC Mac OS X; en-US) AppleWebKit/164.3 (KHTML, like Geco, Safari) OmniWeb/v201.65ogramFiles\x81" 147.156.210.176 - - [15/Jan/2008:08:47:36 -0600] "GET /? HTTP/1.0" 302 297 "-" "Mozilla/5.0 (Macintosh; VYQ; PPC Mac OS X; en-US) AppleWebKit/680.4 (KHTML, like Geco, Safari) OmniWeb/v870.87temDrive=C\x81" 86.76.39.127 - - [15/Jan/2008:08:47:36 -0600] "GET /? HTTP/1.1" 302 292 "-" "Mozilla/5.0 (Macintosh; BDG; PPC Mac OS X; en-US) AppleWebKit/4V6.2 (KHTML, like Geco, Safari) OmniWeb/vP57.9H" 203.213.7.133 - - [15/Jan/2008:08:47:36 -0600] "GET /? HTTP/1.0" 302 293 "-" "Mozilla/5.0 (Macintosh; LNB; PPC Mac OS X; en-US) AppleWebKit/5AT.7 (KHTML, like Geco, Safari) OmniWeb/vK52.MU" 201.8.63.84 - - [15/Jan/2008:08:47:36 -0600] "GET /?f=* HTTP/1.1" 302 291 "-" "Mozilla/5.0 (Macintosh; I06; PPC Mac OS X; en-US) AppleWebKit/429.1 (KHTML, like Geco, Safari) OmniWeb/vX15.RB" At first I did the following: tail -f /var/log/httpd/access_log | grep Macintosh > file.txt Then imported this file into excel and filtered out the ip addresses and used a simple script to block ip addresses from a text file #!/bin/sh BLOCKDB="ip.blocked" IPS=$(grep -Ev "^#" $BLOCKDB) for i in $IPS do iptables -A INPUT -s $i -j DROP done The file ip.blocked just contained a list of ip addresses. After I hit about 6000 ip's I decided to give up seeing that iptables would start slowing down because it has too many ip's listed. This is causing undue load on my server. Infact at times making it very very slow. I read that if I use mod_rewrite that I can block traffic based by browser or user agent type. For example: I added this to my httpd.conf <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{HTTP_USER_AGENT} ^Mozilla.* RewriteRule ^/.* http://%{REMOTE_ADDR}/ [L,E=nolog:1] </IfModule> Thinking that this would block all traffic with a Mozilla browser. I was wrong it doesnt work. (Found that info here http://www.perlcode.org/tutorials/apache/attacks.html ) Does anyone know of a way that I can block this crap traffic. I contacted my host but they want to charge me to do it (which is crap). There has got to be another way to do this. Please let me know. Btw, fedora core 4 server. Thanks Jim |
Linear Mode
