Jump to content

HTTP GET/POST FLOOD attacks?


phil_s
 Share

Recommended Posts

Hey there, 

A friend's server (php, to be exact) is now going down rather frequently (still irregular but almost every week), and I am trying to get to the bottom of it.
It's a serverpilot configured small to middle tier DO Ubuntu server, running php 7 on nginx, https only, (with a letsencrypt certificate added manually by me, not via serverpilot)
When looking through the various log files I found a couple of things I couldn't place, can you guys make anything of this?

This happens multiple times a day (form different IPs) and goes on for 40-50 pings:

200.8.223.47 - - [07/Mar/2017:01:02:27 +0100] "POST / HTTP/1.0" 301 229
200.8.223.47 - - [07/Mar/2017:01:03:13 +0100] "POST / HTTP/1.0" 301 229
200.8.223.47 - - [07/Mar/2017:01:03:59 +0100] "POST / HTTP/1.0" 301 229
200.8.223.47 - - [07/Mar/2017:01:04:45 +0100] "POST / HTTP/1.0" 301 229
200.8.223.47 - - [07/Mar/2017:01:05:32 +0100] "POST / HTTP/1.0" 301 229
200.8.223.47 - - [07/Mar/2017:01:06:19 +0100] "POST / HTTP/1.0" 301 229
200.8.223.47 - - [07/Mar/2017:01:07:05 +0100] "POST / HTTP/1.0" 301 229
....

Is this suspicious? (nobody was editing the site at this time)

 

And these here come in 2-10 sec intervals, usually in 2-3 minute bursts, from different IPs, sometimes multiple times a day, sometimes followed by 30-40 "POST" commands

86.106.157.213 - - [06/Mar/2017:16:40:53 +0100] "GET /wp-login.php HTTP/1.0" 301 245
86.106.157.213 - - [06/Mar/2017:16:40:58 +0100] "GET /wp-login.php HTTP/1.0" 301 245
86.106.157.213 - - [06/Mar/2017:16:41:03 +0100] "GET / HTTP/1.0" 301 233

While this should by no means get the server to it's knees (or should it?) this is not normal, right?

Cheers folks!
 

Link to comment
Share on other sites

  • 1 month later...

Thanks again guys,

Just a quick update for anybody else who might run into this. Simply filtering out these:

RewriteCond %{REQUEST_URI} !\.(cgi|pl|asp|rar|zip)$ [NC]
RewriteCond %{REQUEST_URI} !wp-.*\.php$ [NC]

...took care of my problems. (No more crashes too)

:)

Cheers!

  • Like 4
Link to comment
Share on other sites

 Share

×
×
  • Create New...