Questions? Start a Support Ticket
User Registration
Customer Login

Knowledgebase

Portal Home > Knowledgebase > Articles Database > Server Overloaded by Malware Requests


Server Overloaded by Malware Requests




Posted by jplamb, 12-07-2011, 01:17 PM
The load on one of my dedicated servers has been between 70-120 (16 cores) for the last couple days. After reviewing the logs I found about 10-20 requests per second on one of the sites on the server. The requests are all for 3 non existent images files followed by a random strong....all coming from unique IP addresses. I found a couple reports on a malware site mentioning these specific requests to my website as well as the same program trying to do the same thing to about 9 other sites. I have included a very small sample of my Apache log (less than 1 second) below. Is there anyway to block these requests before they hit Apache or to otherwise reduce the load/log size? (they all are for the same 3 file names)
Posted by srider, 12-07-2011, 01:34 PM
Until you have a better grasp of what is going on you might touch these three files to create 0 byte objects for the server to easily cache. That might drop the load depending on what happens when an HTTP 404 error occurs. Another option, create a zero byte file and serve it as a 404 error response.
Posted by Steven, 12-07-2011, 02:16 PM
Rather than just limiting access to the files you should be securing your server so they don't get there to begin with.
Posted by techstubble, 12-07-2011, 02:43 PM
Another option is to write a script to tail -f the access log file, grab the offending IP's and add drop statements to iptables for each one.
Posted by jplamb, 12-07-2011, 03:19 PM
The sever is secure....not sure how this is a security issue when there are 25k+ unique ips requesting a file from apache. It's basically just a DDoS attack being generated by some program. I can't restrict access to the public files on Apache. I'm going to try the 0 byte files to see if that helps with the load and I guess I'll try to block all the IPs requesting those files.
Posted by gone-afk, 12-07-2011, 07:12 PM
Try rewriting the URL (123.gif) to google.com, I've found a lot of these attacks follow the redirect and it causes almost no load on the server to redirect. You can put nginx in front of apache to handle this domain and those 25k/second requests will run without a hitch. Also add each of the attacking IPs to your firewall as they come in (script as techstubble suggested).
Posted by khunj, 12-08-2011, 12:33 PM
10-20 requests per second bring your 16 cores server load average up to 120 You may need to optimize your HTTP server a little bit.


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
more number of concurrent users in a shared vps mysql server (Views: 706)
Windows Reseller Recommendations (Views: 704)
Suggestion on reselling Windows NT/2k hosting (Views: 677)
Mailserver acting as open relay (Views: 702)
Need go reseller plan under 20 (Views: 753)


Language:

Our Services

Client Menu

Legal

Terms of Service | Privacy Policy | Refund Policy | Affiliates
Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.