Welcome! Log In Create A New Profile

Advanced

some sort of attack?

Previous Message Next Message
Forum List Message List New Topic Print View
Praveen Yarlagadda
March 16, 2013 05:36AM
Hi,

I installed nginx on an EC2 instance. After few hours, I started getting
repeated requests from a set of servers. I tried using limit_req with the
following options:

limit_req_zone $binary_remote_addr zone=ratezone:10m rate=3r/s;
limit_req zone=ratezone burst=5 nodelay;

But I found that it is not effective. If you take a look at the following
access_log content, you would notice that the IP addresses are different. I
don't see more than 3 requests in a sec. Another weird thing is GET
requests are starting with *"http://". *I never saw it before. Is there any
way I can filter requests or possibly throw 503?

Any help is really appreciated.


108.62.157.221 - - [16/Mar/2013:06:48:32 +0000] "GET
http://ad.tagjunction.com/st?ad_type=iframe&ad_size=728x90&section=3127172&pub_url=${PUB_URL}HTTP/1.0"
404 570 "
http://www.oslims.com/green-coffee/pure-coffee/why-should-you-buy-a-professional-coffee-maker.html"
"Mozilla/4.0 (compatible; MSIE 6.01; Windows 95; Alexa Toolbar)" "-"
108.62.192.236 - - [16/Mar/2013:06:48:32 +0000] "GET
http://ads1.ministerial5.com/creative/2-002134604-00001i;size=1 HTTP/1.0"
404 570 "
http://femalefashionroad.com/index.php?option=com_mailto&tmpl=component&link=aHR0cDovL2ZlbWFsZWZhc2hpb25yb2FkLmNvbS9pbmRleC5waHA/b3B0aW9uPWNvbV9jb250ZW50JnZpZXc9YXJ0aWNsZSZpZD0xOTYyNzoyMDExLTEyLTE1LTIyLTA5LTE3JmNhdGlkPTQxOndvbWVuLWZhc2hpb24mSXRlbWlkPTk3"
"Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)" "-"
173.208.16.212 - - [16/Mar/2013:06:48:32 +0000] "GET
http://ib.adnxs.com/ttj?id=1184170 HTTP/1.0" 404 570 "
http://ffwoman.com/index.php?option=com_content&view=article&id=1358:face-cream-nearly-killed-a-woman&catid=54:health-tips&Itemid=100"
"Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/535.1 (KHTML, like
Gecko) Chrome/13.0.782.20 Safari/535.1" "-"
173.234.116.220 - - [16/Mar/2013:06:48:32 +0000] "GET
http://ad.globe7.com/st?ad_type=pop&ad_size=0x0&section=2978145&banned_pop_types=29&pop_times=1&pop_frequency=0&pop_nofreqcap=1HTTP/1.0"
404 570 "
http://www.economysea.com/index.php?option=com_content&view=article&id=7067:2011-09-28-20-11-07&catid=48:economy-today&Itemid=98"
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.11 (KHTML, like Gecko)
Ubuntu/11.04 Chromium/17.0.963.65 Chrome/17.0.963.65 Safari/535.11" "-"
72.52.75.73 - - [16/Mar/2013:06:48:32 +0000] "GET
http://ib.adnxs.com/tt?id=1121510&cb=${CACHEBUSTER}&pubclick=${CLICK_URL}HTTP/1.0"
404 570 "
http://www.tvzhou.com/?tag=lisa&paged=2" "Mozilla/5.0 (Windows NT 6.1)
AppleWebKit/535.2 (KHTML, like Gecko) Chrome/18.6.872.0 Safari/535.2
UNTRUSTED/1.0 3gpp-gba UNTRUSTED/1.0" "-"
23.19.67.56 - - [16/Mar/2013:06:48:32 +0000] "GET
http://ad.tagjunction.com/st?ad_type=iframe&ad_size=120x600&section=3680802&pub_url=${PUB_URL}HTTP/1.0"
404 168 "
http://economicface.com/index.php?option=com_mailto&tmpl=component&link=e3ca08bc42ab0d0829e79ecb01f98523fba42f8b"
"Mozilla/5.0 (Windows; U; WinNT3.51; en-US; rv:1.8.1.7) Gecko/20070914
Firefox/2.0.0.7" "-"
173.234.145.205 - - [16/Mar/2013:06:48:32 +0000] "GET
http://ad.globe7.com/st?ad_type=iframe&ad_size=728x90&section=4097260&pub_url=${www.classidressing.com}HTTP/1.0"
404 570 "
http://classidressing.com/index.php?view=article&catid=43:womens-clothing&id=7161:2012-01-19-23-59-09&format=pdf"
"Mozilla/4.0 (compatible; MSIE 5.01; Windows 95; MSIECrawler)" "-"
142.4.126.137 - - [16/Mar/2013:06:48:32 +0000] "GET
http://ads.clovenetwork.com/ttj?id=801591&pubclick=[INSERT_CLICK_TAG]HTTP/1.0"
404 570 "
http://www.today-car.com/?cat=601" "Mozilla/4.0 (compatible; MSIE 6.0;
Update a; Win32)" "-"
23.19.130.109 - - [16/Mar/2013:06:48:32 +0000] "GET
http://ads1.ministerial5.com/creative/2-002134516-00001i;size=2 HTTP/1.0"
500 594 "
http://likecatpink.com/index.php?option=com_content&view=article&id=10082:2012-01-07-14-12-06&catid=43:fashion-jewellery&Itemid=99"
"Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0; Alexa Toolbar)" "-"
108.62.17.245 - - [16/Mar/2013:06:48:32 +0000] "GET
http://ib.adnxs.com/ttj?id=1200348&cb=${CACHEBUSTER}&pubclick=${CLICK_URL}HTTP/1.0"
404 168 "
http://styleear.com/index.php?option=com_mailto&tmpl=component&link=5d2f4abeb642b19272252d653174f14589e07a8b"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040626
Firefox/0.8" "-"

-Praveen
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

some sort of attack?

Praveen Yarlagadda March 16, 2013 05:36AM

Re: some sort of attack?

Jonathan Matthews March 16, 2013 06:08AM

Re: some sort of attack?

Francis Daly March 16, 2013 06:40AM

Re: some sort of attack?

Praveen Yarlagadda March 16, 2013 03:38PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 308
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready