Home page logo
/

nanog logo nanog mailing list archives

Re: Pattern matching odd HTTP request
From: "Jake Khuon" <khuon () GBLX Net>
Date: Tue, 18 Sep 2001 15:30:16 -0700


### On Wed, 19 Sep 2001 00:20:19 +0200, "Karsten W. Rohrbach"
### <karsten () rohrbach de> casually decided to expound upon
### mike () biggorilla com the following thoughts about "Re: Pattern matching
### odd HTTP request":

KWR> mike () biggorilla com(mike () biggorilla com)@2001.09.18 17:03:44 +0000:
KWR> [...]
KWR> > Doesn't seem new...
KWR> >=20
KWR> > 195.188.192.18 - - [13/Sep/1999:02:23:43 -0500] "-" 408 - "-" "-"
KWR> > 195.188.192.18 - - [14/Sep/1999:02:18:54 -0500] "-" 408 - "-" "-"
KWR> >=20
KWR> > But just a little more increased.
KWR> 
KWR> --- rfc2616 - http 1.1:
KWR> 10.4.9 408 Request Timeout
KWR> 
KWR>    The client did not produce a request within the time that the server
KWR>    was prepared to wait. The client MAY repeat the request without
KWR>    modifications at any later time.
KWR> ---
KWR> 
KWR> take care,

Yes... but when you're seeing this:

...
208.178.31.134 - - [18/Sep/2001:15:22:21 -0700] "-" 408 -
208.178.176.105 - - [18/Sep/2001:15:22:23 -0700] "-" 408 -
208.178.47.36 - - [18/Sep/2001:15:23:19 -0700] "-" 408 -
208.178.144.36 - - [18/Sep/2001:15:23:30 -0700] "-" 408 -
208.178.120.13 - - [18/Sep/2001:15:23:37 -0700] "-" 408 -
208.178.31.138 - - [18/Sep/2001:15:23:42 -0700] "-" 408 -
208.35.212.156 - - [18/Sep/2001:15:23:49 -0700] "-" 408 -
208.178.176.105 - - [18/Sep/2001:15:23:49 -0700] "-" 408 -
208.178.176.105 - - [18/Sep/2001:15:23:49 -0700] "-" 408 -
208.178.31.134 - - [18/Sep/2001:15:23:51 -0700] "-" 408 -
208.178.176.105 - - [18/Sep/2001:15:23:52 -0700] "-" 408 -
208.178.47.36 - - [18/Sep/2001:15:24:49 -0700] "-" 408 -
208.178.144.36 - - [18/Sep/2001:15:25:00 -0700] "-" 408 -
208.178.120.13 - - [18/Sep/2001:15:25:07 -0700] "-" 408 -
208.178.31.138 - - [18/Sep/2001:15:25:12 -0700] "-" 408 -
208.178.176.105 - - [18/Sep/2001:15:25:18 -0700] "-" 408 -
208.178.176.105 - - [18/Sep/2001:15:25:19 -0700] "-" 408 -
208.35.212.156 - - [18/Sep/2001:15:25:20 -0700] "-" 408 -
208.178.31.134 - - [18/Sep/2001:15:25:22 -0700] "-" 408 -
208.178.176.105 - - [18/Sep/2001:15:25:23 -0700] "-" 408 -
208.178.47.36 - - [18/Sep/2001:15:26:19 -0700] "-" 408 -
208.178.120.13 - - [18/Sep/2001:15:26:37 -0700] "-" 408 -
...

You start to suspect a DDOS port-flood attack.  It's certainly causing me to
spawn a lot of httpds and occupying a lot of ports.


--
/*====================[ Jake Khuon <khuon () GBLX Net> ]======================+
 | Chief Global Data Network Management Architect      /~_ |_ () |3 /-\ |_ |
 | VOX: +1 (425) 391-2262  Fax: +1 (425) 391-6772      \_| C R O S S I N G |
 +=============[ 900 4th. Ave., Floor 12, Seattle, WA  98164 ]=============*/



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault