Question
I'm running several services like Redmine, Continuum or Tomcat. Lately all of them have been extremly slow. In the worst cases i had to wait up to 5 minutes just to see the front page of my tomcat server.
I decided to take a look into the access.log file from apache2 and noticed, that my server has been flooded with GET requests. Here's a snipped of the log file.
https://stackoverflow.com/questions/22610798
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian66.249.67.238 - - [24/Mar/2014:14:10:15 +0100] "GET /maven2/com/sun/jersey/jersey-server/1.7-SNAPSHOT/maven-metadata-maven2-repository.dev.java.net.xml.md5 HTTP/1.1" 500 1084 "-" "SAMSUNG-SGH-E250/1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0 (compatible; Googlebot-Mobile/2.1; +http://www.google.com/bot.html)"
23.239.123.39 - - [24/Mar/2014:14:10:22 +0100] "GET http://ads.yashi.com/12976 HTTP/1.0" 500 1153 "http://www.edunyc.com" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16"
198.13.111.248 - - [24/Mar/2014:14:10:23 +0100] "GET http://ib.adnxs.com/tt?id=2249888&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.thebankparent.com/?p=5426" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; Media Center PC 5.0; .NET CLR 2.0.50727)"
66.249.66.120 - - [24/Mar/2014:14:10:25 +0100] "GET /maven2/org/apache/maven/surefire/surefire-junit/2.4.2/ HTTP/1.1" 500 1084 "-" "DoCoMo/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile/2.1; +http://www.google.com/bot.html)"
23.91.20.235 - - [24/Mar/2014:14:10:26 +0100] "GET http://ib.adnxs.com/tt?id=2287590&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.agtvbi.com/?cat=1" "Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; c .NET CLR 3.0.04506; .NET CLR 3.5.30707; InfoPath.1)"
198.13.111.243 - - [24/Mar/2014:14:10:26 +0100] "GET http://ib.adnxs.com/tt?id=2249973&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.finank.com/?tag=tv" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:5.0) Gecko/20100101 Firefox/5.0"
23.91.20.238 - - [24/Mar/2014:14:10:32 +0100] "GET http://ib.adnxs.com/tt?id=2249973&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.finank.com/?p=12004" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727)"
23.91.20.236 - - [24/Mar/2014:14:10:34 +0100] "GET http://ib.adnxs.com/tt?id=2287590&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.agtvbi.com/?tag=kids" "Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.1; FDM; SV1)"
184.105.203.51 - - [24/Mar/2014:14:10:35 +0100] "GET http://ib.adnxs.com/tt?id=2208504&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.tvlucifer.com/online-videos/friends-and-family/8-near-death-experience-nahtoderfahrung-8.html#comments" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.0; FDM; MSIECrawler; Media Center PC 5.0)"
66.249.66.120 - - [24/Mar/2014:14:10:36 +0100] "GET /maven2/org/apache/maven/jxr/jxr/2.2/ HTTP/1.1" 500 1084 "-" "DoCoMo/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile/2.1; +http://www.google.com/bot.html)"
23.228.234.125 - - [24/Mar/2014:14:10:40 +0100] "GET http://ib.adnxs.com/tt?id=2249888&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.thebankparent.com/?tag=trucks" "Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/5.0"
23.91.20.236 - - [24/Mar/2014:14:10:42 +0100] "GET http://ib.adnxs.com/tt?id=2287590&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.agtvbi.com/?p=31177" "Mozilla/5.0 (X11; CrOS i686 1193.158.0) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7"
23.91.20.238 - - [24/Mar/2014:14:10:44 +0100] "GET http://ib.adnxs.com/tt?id=2249973&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.finank.com/?tag=trance" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0)"
198.13.111.243 - - [24/Mar/2014:14:10:44 +0100] "GET http://ib.adnxs.com/tt?id=2249973&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.finank.com/?p=5430" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57)"
23.228.234.121 - - [24/Mar/2014:14:10:49 +0100] "GET http://ib.adnxs.com/tt?id=2249481&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.tvluck.net/?p=272" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; Alexa Toolbar)"
221.215.112.238 - - [24/Mar/2014:14:10:51 +0100] "GET http://www.mmadsgadget.com/t?id=9c527de6-0d69-4d59-af9e-09e2ee635eaa&size=300x250 HTTP/1.0" 500 1075 "http://www.travelandleisure.com/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
72.52.98.142 - - [24/Mar/2014:14:10:59 +0100] "GET http://ads.yahoo.com/st?ad_type=iframe&ad_size=300x250§ion=5141612&pub_url=${PUB_URL} HTTP/1.0" 500 1153 "http://www.wdhcc.com/?p=13760" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
23.91.20.235 - - [24/Mar/2014:14:11:03 +0100] "GET http://ib.adnxs.com/tt?id=2287590&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.agtvbi.com/?p=28749" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/18.6.872.0 Safari/535.2 UNTRUSTED/1.0 3gpp-gba UNTRUSTED/1.0"
23.228.234.121 - - [24/Mar/2014:14:11:04 +0100] "GET http://ib.adnxs.com/tt?id=2249481&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.tvluck.net/?p=4130" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 4.0; Alexa Toolbar)"
23.91.20.235 - - [24/Mar/2014:14:11:04 +0100] "GET http://ib.adnxs.com/tt?id=2287590&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.agtvbi.com/?p=32312" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; Media Center PC 6.0; InfoPath.2; MS-RTC LM 8)"
23.228.234.124 - - [24/Mar/2014:14:11:05 +0100] "GET http://ib.adnxs.com/tt?id=2249921&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.pcemar.com/?category_name=lifestyle-2" "Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0; fr-FR)"
222.141.201.109 - - [24/Mar/2014:14:11:06 +0100] "GET http://ads.mopub.com/m/ad?v=6&id=e97c43fa9d4311e295fa123138070049&nv=1.12.0.0&udid=sha:24cd3e740e7a4f0ade96ceb5bc5ae5dc8c7a114f&ll=38.658724,-92.535656&z=CDT&o=l&sc_a=1.3&mr=1&mcc=302&mnc=720&iso=US&cn=Wireless%20Rogers%20Communications HTTP/1.0" 500 1069 "-" "Opera/9.80 (Android 2.2.2; Linux; Opera Mobi/ADR-1111101157; U; en) Presto/2.9.201 Version/11.50"
23.91.20.237 - - [24/Mar/2014:14:11:09 +0100] "GET http://ib.adnxs.com/tt?id=2287590&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.agtvbi.com/?p=29929" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0)"
23.228.234.115 - - [24/Mar/2014:14:11:10 +0100] "GET http://ads.yahoo.com/st?ad_type=iframe&ad_size=300x250§ion=4819271&pub_url=${PUB_URL} HTTP/1.0" 500 1153 "http://www.linnama.com/?p=993" "Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20110814 Firefox/6.0"
184.105.203.51 - - [24/Mar/2014:14:11:10 +0100] "GET http://ib.adnxs.com/tt?id=2208504&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.tvlucifer.com/tag/love" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; Media Center PC 6.0; InfoPath.2; MS-RTC LM 8)"
198.13.111.248 - - [24/Mar/2014:14:11:12 +0100] "GET http://ib.adnxs.com/tt?id=2249888&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.thebankparent.com/?category_name=driving-style-and-technique" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.813.0 Safari/535.1"
198.13.111.242 - - [24/Mar/2014:14:11:13 +0100] "GET http://ib.adnxs.com/tt?id=2249973&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.finank.com/?p=13741" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.861.0 Safari/535.2"
198.13.111.246 - - [24/Mar/2014:14:11:18 +0100] "GET http://ib.adnxs.com/tt?id=2249921&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.pcemar.com/?p=974" "Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20110814 Firefox/6.0"
72.52.98.140 - - [24/Mar/2014:14:11:18 +0100] "GET http://ads.yahoo.com/st?ad_type=iframe&ad_size=728x90§ion=5141612&pub_url=${PUB_URL} HTTP/1.0" 500 1153 "http://www.wdhcc.com/?tag=scare" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; SLCC2; .NET CLR 2.0.50727; InfoPath.3; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729; MS-RTC LM 8)"
23.228.234.117 - - [24/Mar/2014:14:11:19 +0100] "GET http://ads.yahoo.com/st?ad_type=iframe&ad_size=300x250§ion=4819271&pub_url=${PUB_URL} HTTP/1.0" 500 1153 "http://www.linnama.com/?p=850" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
23.91.20.235 - - [24/Mar/2014:14:11:20 +0100] "GET http://ib.adnxs.com/tt?id=2287590&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.agtvbi.com/?cat=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.0; Trident/4.0; InfoPath.1; SV1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 3.0.04506.30)"
23.228.234.116 - - [24/Mar/2014:14:11:24 +0100] "GET http://ads.yahoo.com/st?ad_type=iframe&ad_size=300x250§ion=4819271&pub_url=${PUB_URL} HTTP/1.0" 500 1153 "http://www.linnama.com/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; InfoPath.2)"
23.228.234.124 - - [24/Mar/2014:14:11:24 +0100] "GET http://ib.adnxs.com/tt?id=2249921&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.pcemar.com/" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322; Alexa Toolbar; .NET CLR 2.0.50727)"
198.13.111.243 - - [24/Mar/2014:14:11:24 +0100] "GET http://ib.adnxs.com/tt?id=2249973&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 500 1152 "http://www.finank.com/?tag=upc" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; yie8)"
Reading this i understand that i'm under some kind of ProxyAbuse, but deactivating the mod_proxy module doesn't stop the reqeusts at all. The only way i found working is to block port 80 in the listen.conf file. But than of course Redmine, Continuum and Tomcat are not reachable from outside.
Any ideas? Thanks in advance...
Solution
As explained here: https://serverfault.com/questions/242292/apache-getting-hammered-by-nonsense-requests-how-to-stop
You could use fail2ban or hosts.deny to block hosts in question from accessing your server.
Also, you could configure your firewall if that is applicable to block abusing IPs.
OTHER TIPS
Fail2ban works by using iptables which maintains a list of IPs which it things are malicious and it will block any inbound request from these IPs. This is a kind on negative security model. I would recommend you to use a positive security model where you should return 403 status to all the inbound requests that are not for your server name.
You should install mod_security on your apache web server and create the following rule:
SecRule SERVER_NAME "www\.yourdomain\.com$" "id:'200000',phase:1,nolog,allow,ctl:ruleEngine=off"
In case you have any problems you can change the nolog to log and see the logs to understand whats happening. Hope this helps.
