Announcement

**GreyGeek** · Feb 03, 2014, 12:41 PM

Most ISPs have a TOS agreement which specifically forbids this. Your friend would be violating his TOS and I suspect that even with a letter from you approving the attack the ISP would probably take action anyway. Asking for permission ahead of time would probably get you a letter reppeating the TOS.

Also, most ISPs do monitor such activity as a course of business. Seeing a huge spike in traffic directed at your computer would raise their alarm bells because the LOIC signature generally is not to respond to the second phase of the handshake, thus flooding the target computer with initial requests for a handshake but never completing the 3 step process. The source of the attack would be logged and probably reported to law enforcement. Not coming from a computer running TOR, your friend's IP would be quickly identified and probably his ISP would also take action.

**Feathers McGraw** · Feb 03, 2014, 01:02 PM

Good advice, thank you! I guess I'll have to test it on my LAN.

**SteveRiley** · Feb 04, 2014, 01:03 AM

I'm not sure how the ISPs in the UK would react. Here in Seattle, I've deliberately attacked my own server instances on Amazon Web Services on occasion. AWS requires permission, as can be expected, since they're the target here. But Comcast (my ISP) has never given me any grief about it.

Sam, if you want to do some testing to learn about this stuff, perhaps you could follow the same approach. Rather than attacking your own production server, set up a sacrificial instance in AWS.

**Feathers McGraw** · Feb 04, 2014, 02:21 AM

That's a good idea, I'll look into it.

I've become quite attached to the site/mail server and I'm aware that it wouldn't take much to overwhelm the Pi. I'm not sure how much more legitimate traffic it can take as it is, let alone any nasty stuff.

Last month the site got almost 300,000 hits! I'm assuming that a significant proportion of that was spam bots and web spiders, which is one of the reasons I've started looking at blocking stuff at the firewall (to block the spammers, not the spiders).

Recently, I've been getting comment moderation request emails from WordPress where Akismet has taken a while to process the comments and cut the spam, whereas before it was pretty much instant. I checked and their servers weren't down during that time, although the plugin was still registering a problem connecting to them. I'm guessing either the pi was overloaded or Akismet was limiting the number of comments it would process for me in a given time, and the spam rate was higher than this.

Fun times

**NickStone** · Feb 04, 2014, 03:04 AM

You will probably think I am a bit anal retentive here but...
DOS stands for Disk Operating System (very popular during the 80's)
DoS stands for Denial of Service (which I think is what your referring to.

**Feathers McGraw** · Feb 04, 2014, 05:37 AM

Correct! 10 points ☺ thanks for correcting.

**SteveRiley** · Feb 04, 2014, 05:01 PM

Originally posted by Feathers McGraw View Post

I've become quite attached to the site/mail server

Rather like one's first child

Originally posted by Feathers McGraw View Post

Last month the site got almost 300,000 hits! I'm assuming that a significant proportion of that was spam bots and web spiders, which is one of the reasons I've started looking at blocking stuff at the firewall (to block the spammers, not the spiders).

Popular dude! I'd wager that the majority of your traffic is bots and spiders. You could verify by:

1. Extract all source IP addresses from your web server logs into a file.
2. Count the number of times each address appears -- this gives you an indication of scale.
3. Reduce the file to one entry per source address.
4. Perform a reverse DNS lookup on each address in the file -- you can usually tell from the name what it is.
5. Plot #2 over #5. Now you can answer the question of where most of your traffic comes from.

**Feathers McGraw** · Feb 05, 2014, 08:15 AM

Webalizer does some of that for me already, I'll see of it will do the rDNS bit too...

**Feathers McGraw** · Feb 07, 2014, 02:00 AM

I edited my webalizer config file so it does rDNS at each run, with a cache file. Here's what it came up with for feb so far (only the top bit shown):

It seems most of those are unresolvable, which suggests they're either bots or real users?

**SteveRiley** · Feb 07, 2014, 09:16 PM

One or the other, yeah. Another source of information is whois. You can at least learn a little bit about what netblock the address came from.

Code:

steve@t520:~$ [B]whois 77.88.102.70[/B]
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '77.88.102.64 - 77.88.102.79'

% Abuse contact for '77.88.102.64 - 77.88.102.79' is 'abuse@kvantel.no'

inetnum:        77.88.102.64 - 77.88.102.79
netname:        HT-NO-JACKON
descr:          Jackon AS, Sorkilen 3, 1620 Gressvik
country:        NO
admin-c:        HS4809-RIPE
tech-c:         HS4809-RIPE
admin-c:        HTNO1-RIPE
tech-c:         HTNO1-RIPE
status:         ASSIGNED PA
mnt-by:         AS41572-MNT
mnt-lower:      AS41572-MNT
mnt-routes:     AS41572-MNT
source:         RIPE # Filtered

role:           Hafslund Telecom Network Operations
address:        LOERENVEIEN 68
address:        N-0580 Oslo
address:        Norway
phone:          +47 21902225
abuse-mailbox:  abuse@kvantel.no
admin-c:        YJ83-RIPE
tech-c:         YJ83-RIPE
nic-hdl:        HTNO1-RIPE
mnt-by:         AS41572-MNT
source:         RIPE # Filtered

person:         Henning Sorli                                                                                                                        
address:        Sorkilen 3,                                                                                                                          
address:        1620 Gressvik                                                                                                                        
address:        Norway                                                                                                                               
phone:          + 47 69363300                                                                                                                        
fax-no:         + 47 69363399                                                                                                                        
mnt-by:         AS41572-MNT                                                                                                                          
nic-hdl:        HS4809-RIPE                                                                                                                          
source:         RIPE # Filtered                                                                                                                      
                                                                                                                                                     
% Information related to '77.88.64.0/18AS41572'                                                                                                      
                                                                                                                                                     
route:          77.88.64.0/18                                                                                                                        
descr:          NO-TOKOM-20070315                                                                                                                    
descr:          Hafslund Telekom AS                                                                                                                  
origin:         AS41572                                                                                                                              
mnt-by:         AS41572-MNT
source:         RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.71 (WHOIS4)

**Feathers McGraw** · Feb 08, 2014, 02:51 AM

I was thinking about this the other day... I really should get whoisguard!

**Feathers McGraw** · Feb 15, 2014, 07:07 AM

So, today someone in China (or through China) DoS'd my poor little RasPi.

Code:

admin@samhobbs /var/log/apache2/samhobbs $ cat access.log | grep 36.250.184.60 | sort
36.250.184.60 - - [15/Feb/2014:10:37:46 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:46 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:46 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:46 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:46 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:46 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:46 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:47 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:47 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:47 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:47 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:49 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:50 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:50 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:50 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:50 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:50 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:51 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:51 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:51 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:51 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:52 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:54 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:54 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:54 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:54 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:55 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:55 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:55 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:55 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:55 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:56 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:56 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:56 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:56 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:56 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:57 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:57 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:37:57 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:06 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:06 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:06 +0000] "GET / HTTP/1.0" 200 9643 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:06 +0000] "GET / HTTP/1.0" 200 9672 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:07 +0000] "GET / HTTP/1.0" 200 11194 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:07 +0000] "GET / HTTP/1.0" 200 9643 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:08 +0000] "GET / HTTP/1.0" 200 9643 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:08 +0000] "GET / HTTP/1.0" 200 9672 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:09 +0000] "GET / HTTP/1.0" 200 9672 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:10 +0000] "GET / HTTP/1.0" 200 12366 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:10 +0000] "GET / HTTP/1.0" 200 9643 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:10 +0000] "GET / HTTP/1.0" 200 9672 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:11 +0000] "GET / HTTP/1.0" 200 9672 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:12 +0000] "GET / HTTP/1.0" 200 9590 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:12 +0000] "GET / HTTP/1.0" 200 9643 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:12 +0000] "GET / HTTP/1.0" 200 9643 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:12 +0000] "GET / HTTP/1.0" 200 9643 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:13 +0000] "GET / HTTP/1.0" 200 11194 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:13 +0000] "GET / HTTP/1.0" 200 9643 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:14 +0000] "GET / HTTP/1.0" 200 9672 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:15 +0000] "GET / HTTP/1.0" 200 9643 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:15 +0000] "GET / HTTP/1.0" 200 9672 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:15 +0000] "GET / HTTP/1.0" 200 9672 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:15 +0000] "GET / HTTP/1.0" 200 9672 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:16 +0000] "GET / HTTP/1.0" 200 9643 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:16 +0000] "GET / HTTP/1.0" 200 9672 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:17 +0000] "GET / HTTP/1.0" 200 11194 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:17 +0000] "GET / HTTP/1.0" 200 9643 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:17 +0000] "GET / HTTP/1.0" 200 9672 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:18 +0000] "GET / HTTP/1.0" 200 9643 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:19 +0000] "GET / HTTP/1.0" 200 11194 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:19 +0000] "GET / HTTP/1.0" 200 9643 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:20 +0000] "GET / HTTP/1.0" 200 11194 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:20 +0000] "GET / HTTP/1.0" 200 9643 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:20 +0000] "GET / HTTP/1.0" 200 9672 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:21 +0000] "GET / HTTP/1.0" 200 9643 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:22 +0000] "GET / HTTP/1.0" 200 9672 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:22 +0000] "GET / HTTP/1.0" 200 9672 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:23 +0000] "GET / HTTP/1.0" 200 11194 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:23 +0000] "GET / HTTP/1.0" 200 9643 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:38:28 +0000] "GET / HTTP/1.0" 200 9643 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:39:38 +0000] "GET / HTTP/1.0" 404 7453 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:40:00 +0000] "GET / HTTP/1.0" 500 607 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:40:18 +0000] "GET / HTTP/1.0" 500 607 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:40:18 +0000] "GET / HTTP/1.0" 500 607 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:40:39 +0000] "GET / HTTP/1.0" 500 607 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:40:39 +0000] "GET / HTTP/1.0" 500 607 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:40:47 +0000] "GET / HTTP/1.0" 500 607 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
36.250.184.60 - - [15/Feb/2014:10:40:57 +0000] "GET / HTTP/1.0" 500 607 "http://www.samhobbs.co.uk" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"

After this, the MySQL database stopped accepting connections. Other services were unaffected.

Restarting mysql sorted things.

So, I'm going to try installing mod_security to see if I can limit the number of requests per second.

A question, though: when someone loads a page that contains images, a separate log entry is made for each image. Does each log entry count as a separate request? I'm trying to decide what a sensible limit on the number of requests per second would be.

Feathers

**SteveRiley** · Feb 15, 2014, 01:44 PM

Originally posted by Feathers McGraw View Post

So, today someone in China (or through China) DoS'd my poor little RasPi.

You have become something of a target lately!

Originally posted by Feathers McGraw View Post

So, I'm going to try installing mod_security to see if I can limit the number of requests per second.

Good call. I'd further recommend that you use a recent OWASP-based ruleset -- this is more comprehensive than something you might try to build yourself and is supported by a community.

OWASP Ruleset project: https://www.owasp.org/index.php/Cate...le_Set_Project
Setup tutorials: http://www.google.com/search?q=ubuntu+modsecurity+owasp

Originally posted by Feathers McGraw View Post

A question, though: when someone loads a page that contains images, a separate log entry is made for each image. Does each log entry count as a separate request? I'm trying to decide what a sensible limit on the number of requests per second would be.

Yes, each request is a separate. HTTP is stateless; there is no such thing as a single command to get everything on a page. Each page element is fetched individually. As for reasonable per-second rates, the defaults in the OWASP ruleset should be sufficient.

**Feathers McGraw** · Feb 15, 2014, 07:36 PM

I spent a long time looking at this today but didn't have much luck:

I downloaded the latest set of rules from https://github.com/SpiderLabs/owasp-...zipball/master and installed them to /etc/apache2/modsecurity-crs/, copied the default setup.conf file over, added a statement to /etc/apache2/apache2.conf to load that file and any other files in /etc/apache2/modsecurity-crs/activated-rules/...

...and this is what happened:

Code:

admin@samhobbs /etc/apache2 $ sudo service apache2 restart
Syntax error on line 52 of /etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_20_protocol_violations.conf:
Error parsing actions: Unknown action: ver
Action 'configtest' failed.
The Apache error log may have more information.
 failed!

I think the OWASP ruleset is too new for the version of mod_security I'm using.

Do you know how to get versions of mod_security and OWASP ruleset? Is there a compatibility matrix somewhere so that I can choose a matching ruleset?

Feathers

Announcement

Is it illegal to DDoS your own server over the internet?

Is it illegal to DDoS your own server over the internet?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment