One of our clients is receiving tons of DoS attacks on his review.cgi file.
I was wondering if anyone could share an experience or direct me towards a solution to help lessen the impact.
Here are some of the logs:
148-12 - 0/0/3 . 0.59 506 0 0.0 0.00 0.00000 198.144.206.40 www.SiteName.com GET /cgi-bin/review.cgi?id=1413&add_review=1 HTTP/1.1
149-12 - 0/0/1 . 0.00 506 0 0.0 0.00 0.00 198.144.208.38 www.SiteName.com GET /cgi-bin/review.cgi?id=1414&add_review=1 HTTP/1.1
150-12 - 0/0/1 . 0.00 502 0 0.0 0.00 0.00 198.144.208.38 www.SiteName.com GET /cgi-bin/review.cgi?id=1418&add_review=1 HTTP/1.1
151-12 - 0/0/1 . 0.00 501 0 0.0 0.00 0.00 198.144.208.38 www.SiteName.com GET /cgi-bin/review.cgi?id=1420&add_review=1 HTTP/1.1
152-12 - 0/0/1 . 0.00 504 0 0.0 0.00 0.00 198.144.206.40 www.SiteName.com GET /cgi-bin/review.cgi?id=1415&add_review=1 HTTP/1.1
The attacker is: 198.144.208.38 and as you notice they're always using a different ID= so it is not easily detected.
I looked over the code and this is what is there. This had also happened on jump.cgi :
# ==================================================================
# Links SQL - enhanced directory management system
#
# Website : http://gossamer-threads.com/
# Support : http://gossamer-threads.com/scripts/support/
# CVS Info : 087,064,087,089,087
# Revision : $Id: review.cgi,v 1.4 2001/12/30 19:33:05 alex Exp $
#
# Copyright (c) 2001 Gossamer Threads Inc. All Rights Reserved.
# Redistribution in part or in whole strictly prohibited. Please
# see LICENSE file for full details.
# ================================================================== use strict;
use lib '/home/SiteName/public_html/cgi-bin/admin';
use Links qw/$CFG/;
use Links::User::Review; local $SIG{__DIE__} = \&Links::fatal; Links::init('/home/fatty/public_html/cgi-bin/admin');
Links::init_user(); if (GT::Plugins->dispatch ($CFG->{admin_root_path} . '/Plugins', 'check_request', \&Links::check_request)) {
GT::Plugins->dispatch ($CFG->{admin_root_path} . '/Plugins', 'handle_review', \&Links::User::Review::handle);
}
We already use mod_dosevasive and other anti-DoS methods, but this did not kick in until the server was overloaded really.
Any Help is much appreciated...
Thx,
Tamouh
I was wondering if anyone could share an experience or direct me towards a solution to help lessen the impact.
Here are some of the logs:
148-12 - 0/0/3 . 0.59 506 0 0.0 0.00 0.00000 198.144.206.40 www.SiteName.com GET /cgi-bin/review.cgi?id=1413&add_review=1 HTTP/1.1
149-12 - 0/0/1 . 0.00 506 0 0.0 0.00 0.00 198.144.208.38 www.SiteName.com GET /cgi-bin/review.cgi?id=1414&add_review=1 HTTP/1.1
150-12 - 0/0/1 . 0.00 502 0 0.0 0.00 0.00 198.144.208.38 www.SiteName.com GET /cgi-bin/review.cgi?id=1418&add_review=1 HTTP/1.1
151-12 - 0/0/1 . 0.00 501 0 0.0 0.00 0.00 198.144.208.38 www.SiteName.com GET /cgi-bin/review.cgi?id=1420&add_review=1 HTTP/1.1
152-12 - 0/0/1 . 0.00 504 0 0.0 0.00 0.00 198.144.206.40 www.SiteName.com GET /cgi-bin/review.cgi?id=1415&add_review=1 HTTP/1.1
The attacker is: 198.144.208.38 and as you notice they're always using a different ID= so it is not easily detected.
I looked over the code and this is what is there. This had also happened on jump.cgi :
Code:
#!/usr/local/bin/perl # ==================================================================
# Links SQL - enhanced directory management system
#
# Website : http://gossamer-threads.com/
# Support : http://gossamer-threads.com/scripts/support/
# CVS Info : 087,064,087,089,087
# Revision : $Id: review.cgi,v 1.4 2001/12/30 19:33:05 alex Exp $
#
# Copyright (c) 2001 Gossamer Threads Inc. All Rights Reserved.
# Redistribution in part or in whole strictly prohibited. Please
# see LICENSE file for full details.
# ================================================================== use strict;
use lib '/home/SiteName/public_html/cgi-bin/admin';
use Links qw/$CFG/;
use Links::User::Review; local $SIG{__DIE__} = \&Links::fatal; Links::init('/home/fatty/public_html/cgi-bin/admin');
Links::init_user(); if (GT::Plugins->dispatch ($CFG->{admin_root_path} . '/Plugins', 'check_request', \&Links::check_request)) {
GT::Plugins->dispatch ($CFG->{admin_root_path} . '/Plugins', 'handle_review', \&Links::User::Review::handle);
}
We already use mod_dosevasive and other anti-DoS methods, but this did not kick in until the server was overloaded really.
Any Help is much appreciated...
Thx,
Tamouh