不匹配虛擬主機的 DDOS 攻擊

May 29, 2016

我遇到了一種非常奇怪的 DDOS 攻擊，伺服器被請求淹沒，但是問題是，在查看訪問日誌時，我收到了對伺服器上不存在的域和主機的不同請求，這與行：

101.201.47.133 - - [29/May/2016:16:38:11 +0000] "POST http://ifacelog.iqiyi.com/api/vvlog.jsp HTTP/1.1" 200 2 "-" "QIYIVideo/7.4 (iOS;com.qiyi.iphone;iOS8.0.1;iPhone5,4) Corejar"
81.94.192.52 - - [29/May/2016:16:38:11 +0000] "GET http://www.advinapps.com/ads-sync.js?v=1&key=fa7fef2ba4e39c100ef0278e97b68be3&epmads_width=300&epmads_height=250&cIds=&adsCampaignKey=1464568684537&ch=www.economist.com&click=&tz=-13&t=1464568684812&requestUrl=http%3A%2F%2Feconomist.com&flashVer=18.0%20r0&scrWidth=412&scrHeight=659 HTTP/1.1" 200 691 "http://economist.com" "Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4"
172.87.28.13 - - [29/May/2016:16:35:12 +0000] "CONNECT api.paypal.com:443 HTTP/1.0" 503 299 "-" "-"
123.56.190.144 - - [29/May/2016:16:38:11 +0000] "POST http://ifacelog.iqiyi.com/api/vvlog.jsp HTTP/1.1" 200 2 "-" "QIYIVideo/7.4 (iOS;com.qiyi.iphone;iOS7.0.1;iPhone7,2) Corejar"
172.87.30.22 - - [29/May/2016:16:35:12 +0000] "CONNECT api.paypal.com:443 HTTP/1.0" 503 299 "-" "-"
81.94.192.58 - - [29/May/2016:16:38:11 +0000] "GET http://www.advinapps.com/ads-sync.js?v=1&key=fb5958979637170f68a7f021b69561d0&epmads_width=300&epmads_height=250&cIds=&adsCampaignKey=1464568661357&ch=www.fredericknewspost.com&click=&tz=-13&t=1464568690295&requestUrl=http%3A%2F%2Ffredericknewspost.com&flashVer=18.0%20r0&scrWidth=600&scrHeight=960 HTTP/1.1" 200 321 "fredericknewspost.com/article/780.html" "Mozilla/5.0 (Linux; Android 4.2.2; GT-I9505 Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.59 Mobile Safari/537.36"
81.94.192.50 - - [29/May/2016:16:38:11 +0000] "GET http://www.advinapps.com/impression.gif?b=282343&p=24300&ch=www.therepublic.com&dspPar=32&ap=0.104&cps=&c=11623&l=US&h=04536307c4821d3689234591fc91365a&t=1464539891555&s=f7b3eae7f818b290717990bcd6cdff70&tz=-13.0&sh=567&sw=360 HTTP/1.1" 200 49 "http://therepublic.com" "Mozilla/5.0 (iPhone; CPU iPhone OS 7_0 like Mac OS X; en-us) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A465 Safari/9537.53"
101.201.31.97 - - [29/May/2016:16:38:12 +0000] "GET http://www.xiami.com/count/playrecord?object_id=1776099904&ishq=0&sid=1776099904&object_name=default&t=1464539867265 HTTP/1.1" 401 - "http://img.xiami.net/static/swf/seiya/1.5/player.swf?v=1439737985865" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0"
144.52.174.222 - - [29/May/2016:16:38:11 +0000] "POST http://www.gifshow.com/rest/n/relation/follow HTTP/1.1" 200 29 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Alexa Toolbar)"
120.26.92.95 - - [29/May/2016:16:38:12 +0000] "CONNECT 112.126.84.66:15010 HTTP/1.1" 400 226 "-" "-"
172.87.30.80 - - [29/May/2016:16:35:12 +0000] "CONNECT api.paypal.com:443 HTTP/1.0" 503 299 "-" "-"
13.73.2.228 - - [29/May/2016:16:38:12 +0000] "CONNECT accounts.surfeasy.com:443 HTTP/1.0" 200 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
101.201.47.133 - - [29/May/2016:16:38:12 +0000] "GET http://count.vrs.sohu.com/count/stat.do?videoId=2775476&tvid=82474211&playlistId=9084357&categoryId=16&catecode=115101;115102;115103;115104;115126&uid=14645398585291624242&plat=flash&os=Windows10&online=0&type=vrs&r=http%3A%2F%2Ftv.sohu.com%2F20151216%2Fn431509915.shtml&t=1464539858450.432&enc=LIO1B3nKHyIq5OHptFUVfuZnfeE%2BK8x7 HTTP/1.1" 200 16 "http://tv.sohu.com/20151216/n431509915.shtml" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
122.224.11.135 - - [29/May/2016:16:38:12 +0000] "" 400 226 "-" "-"
122.224.11.135 - - [29/May/2016:16:38:11 +0000] "GET http://www.128pa.com/ HTTP/1.1" 200 214 "http://www.baidu.com" "Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)"
122.224.11.135 - - [29/May/2016:16:38:11 +0000] "GET http://www.128pa.com/ HTTP/1.1" 200 214 "http://www.baidu.com" "Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)"
81.94.192.58 - - [29/May/2016:16:38:12 +0000] "GET http://www.advinapps.com/no-impression.gif?p=24307&ch=www.fredericknewspost.com&l=US&h=cf5deb1084738a7e069f3bdc209b2193&t=1464568705404&s=0366da23730645ecda68bb0f08c99c2e&tz=-13.0&sh=960&sw=600 HTTP/1.1" 200 49 "fredericknewspost.com/article/780.html" "Mozilla/5.0 (Linux; Android 4.2.2; GT-I9505 Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.59 Mobile Safari/537.36"
123.56.199.198 - - [29/May/2016:16:38:11 +0000] "GET http://www.xiami.com/count/playrecord?object_id=1776099904&ishq=0&sid=1776099904&object_name=default&t=1464539866545 HTTP/1.1" 401 - "http://img.xiami.net/static/swf/seiya/1.5/player.swf?v=1439737985865" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0"
81.94.192.52 - - [29/May/2016:16:38:12 +0000] "GET http://www.advinapps.com/ads-sync.js?v=1&key=fa7fef2ba4e39c100ef0278e97b68be3&epmads_width=300&epmads_height=250&cIds=&adsCampaignKey=1464568694585&ch=www.economist.com&click=&tz=-13&t=1464568694812&requestUrl=http%3A%2F%2Feconomist.com&flashVer=18.0%20r0&scrWidth=412&scrHeight=659 HTTP/1.1" 200 691 "http://economist.com" "Mozilla/5.0 (iPhone; CPU iPhone OS 7_0 like Mac OS X; en-us) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A465 Safari/9537.53"
101.201.31.108 - - [29/May/2016:16:38:12 +0000] "GET http://vstat.v.blog.sohu.com/dostat.do?method=setVideoPlayCount&v=83593920&playlistId=&c=131128&vc=131128&uid=14645398803161561565&plat=flash&os=Windows10&online=0&type=my&o=292591044&r=http%3A%2F%2Fmy.tv.sohu.com%2Fus%2F292591044%2F83593920.shtml&time=1464539880698 HTTP/1.1" 200 6 "http://my.tv.sohu.com/us/292591044/83593920.shtml" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
104.197.247.35 - - [29/May/2016:16:38:12 +0000] "GET http://www.realtimewebsite.com/js/rtws.js HTTP/1.1" 200 348 "http://www.freewebsitereport.org/www.cartoonetwork.com" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/4.0; .NET CLR 5.0.90556.2)"
81.94.192.52 - - [29/May/2016:16:38:13 +0000] "GET http://www.advinapps.com/no-impression.gif?p=24306&ch=www.economist.com&l=US&h=931f6fbc7b9b27deb6633049e4303daf&t=1464568695000&s=0366da23730645ecda68bb0f08c99c2e&tz=-13.0&sh=659&sw=412 HTTP/1.1" 200 49 "http://economist.com" "Mozilla/5.0 (iPhone; CPU iPhone OS 7_0 like Mac OS X; en-us) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A465 Safari/9537.53"
110.252.95.174 - - [29/May/2016:16:38:12 +0000] "POST http://180.186.38.200/rest/photo/like?lat=0&lon=0&ver=4.34&ud=169552143&sys=ANDROID_4.4.4&c=GENERIC&net=WIFI&did=ANDROID_33d055630e75dcf4&mod=iToolsAVM%28iToolsAVM%29&app=0&language=zh-cn&country_code=US HTTP/1.1" 200 37 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
79.20.174.253 - - [29/May/2016:16:38:13 +0000] "GET http://video-edge-8273c0.ord02.hls.ttvnw.net/hls-6dbdec/forsenlol_21576028656_461001026/chunked/index-live.m3u8?token=id=7806820898711542541,bid=21576028656,exp=1464623765,node=video-edge-8273c0-1.ord02.hls.justin.tv,nname=video-edge-8273c0.ord02,fmt=chunked&sig=4c016ff3014314d55ebbf08798cbc18c9d008e77 HTTP/1.1" 200 422 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0"
104.197.247.35 - - [29/May/2016:16:38:13 +0000] "GET http://www.realtimewebsite.com/tp.tiff?ref=&host=freewebsitereport.org&path=%2Fwww.cartoonetwork.com&href=http%3A%2F%2Fwww.freewebsitereport.org%2Fwww.cartoonetwork.com&width=400&height=300&id=8046424910426 HTTP/1.1" 204 - "http://www.freewebsitereport.org/www.cartoonetwork.com" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/4.0; .NET CLR 5.0.90556.2)"
85.25.242.142 - - [29/May/2016:16:38:13 +0000] "GET http://www.amazon.de/gp/offer-listing/B00BT96PFK/ref=olp_tab_new?ie=UTF8&sr=8-1&condition=new HTTP/1.1" 400 226 "http://www.amazon.de/gp/offer-listing/B00BT96PFK/ref=olp_tab_all" "-"
108.61.123.138 - - [29/May/2016:16:38:13 +0000] "GET http://c2s.startappnetwork.com/c2s/1.3/htmlads?sdkType=10&sdkVersion=1.0.0&partner=103651863&prod=203453235&os=0&placement=&adw=320&adh=50 HTTP/1.1" 200 8398 "com.pubjts.CuteJam" "Mozilla/5.0 (Linux; U; Android 5.0.0; en-us; ASUS_T00F Build/JSS15Q) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"

這是一種已知類型的 DDOS 攻擊嗎，我的 apache 是如何接收來自的請求的POST http://ifacelog.iqiyi.com/api/vvlog.jsp，我的意思是域 iqiyi 不指向我的伺服器。

更新#1

在建議人們將我的伺服器用作開放代理之後，我通過評論禁用了載入所有 apache 代理模組：

# This file configures all the proxy modules:
#LoadModule proxy_module modules/mod_proxy.so
#LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
#LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
#LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
#LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
#LoadModule proxy_express_module modules/mod_proxy_express.so
#LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
#LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
#LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_scgi_module modules/mod_proxy_scgi.so

但是，我的 access_log 文件仍然收到相同的可疑請求，當我禁用所有代理時，這怎麼可能發生。

最好的猜測是您錯誤地配置了您的 apache，它現在充當了一個開放代理（任何人都可以使用您的伺服器作為偽裝自己的代理）。我通過CONNECT方法請求以及許多實際傳遞的請求來猜測這一點。並通過包含完整 URL 的日誌。
所以它不是 DDOS，而是你的伺服器出現在某種開放的代理列表上，想要偽裝自己的人可以隨意使用它。小心，因為如果它被濫用於犯罪活動，你可能會被追究責任。

引用自：https://serverfault.com/questions/779708

不匹配虛擬主機的 DDOS 攻擊

更新#1

相關問答

在 5000 個域上批量執行“dig domain mx”是否可以視為對網路的攻擊？

DDOS AWS API 網關保護

根名稱伺服器如何處理所有 DNS 請求？

PHP 超過最大執行時間 - 攻擊跡象？

如何從偵察工具中隱藏源伺服器 IP 地址

如何保護 SSH？