4

I am getting hundreds of lines of the same request in my access logs as of July 4th. This one came up thousands of times in the hours around this date:

86.128.198.216 - - [22/Jul/2011:00:44:16 +0100] "GET /404.htm HTTP/1.1" 302 414 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB7.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C)"

There are others too - prior to the above lines there were hundreds instances of this:

92.23.237.48 - - [21/Jul/2011:23:36:24 +0100] "GET /404.htm HTTP/1.1" 302 414 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6.6; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; eSobiSubscriber 2.0.4.16; .NET4.0C; InfoPath.1; BRI/2)"

And many other similar IPs that are requesting 404.htm hundreds/thousands of time. Consequently we've exceeded our 100GB bandwidth and our site is currently down.

The website is tiny (with about 2-3000 visits a month) and I just can't really work out what's going on. Any help/advice would be appreciated as I generally don't deal with the administrator side of the web as, until a few months ago, we had a guy who dealt solely with that.

Waiting for my webhosting company to figure this out is painful.

Thanks,

Rich

AstroCB
  • 12,337
  • 20
  • 57
  • 73
RichieAHB
  • 2,030
  • 2
  • 20
  • 33
  • **Quote OP:** _"Waiting for my webhosting company to figure this out is painful."_ ~ If your hosting company does not care about DDoS attacks, it might be time to switch to new hosting. As you alluded in your comment on the answer, server configuration to prevent DDoS is not your job, it's theirs. – Sparky Nov 23 '12 at 16:44

1 Answers1

0

I'm not an expert, but here are my findings:

One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.

Your situation appears to fit the description. Here are helpful links:

Community
  • 1
  • 1
Josh
  • 8,082
  • 5
  • 43
  • 41
  • Thanks for your reply, although I am really looking for confirmation that this is a DDoS attack rather than something poorly configured on the site that is triggering these 404s in some way. I checked those links and basically, without actually hosting my own sever and setting up firewalls there seems to be little that can be done ... – RichieAHB Jul 26 '11 at 14:22