Ddos
不匹配虛擬主機的 DDOS 攻擊
我遇到了一種非常奇怪的 DDOS 攻擊,伺服器被請求淹沒,但是問題是,在查看訪問日誌時,我收到了對伺服器上不存在的域和主機的不同請求,這與行:
101.201.47.133 - - [29/May/2016:16:38:11 +0000] "POST http://ifacelog.iqiyi.com/api/vvlog.jsp HTTP/1.1" 200 2 "-" "QIYIVideo/7.4 (iOS;com.qiyi.iphone;iOS8.0.1;iPhone5,4) Corejar" 81.94.192.52 - - [29/May/2016:16:38:11 +0000] "GET http://www.advinapps.com/ads-sync.js?v=1&key=fa7fef2ba4e39c100ef0278e97b68be3&epmads_width=300&epmads_height=250&cIds=&adsCampaignKey=1464568684537&ch=www.economist.com&click=&tz=-13&t=1464568684812&requestUrl=http%3A%2F%2Feconomist.com&flashVer=18.0%20r0&scrWidth=412&scrHeight=659 HTTP/1.1" 200 691 "http://economist.com" "Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4" 172.87.28.13 - - [29/May/2016:16:35:12 +0000] "CONNECT api.paypal.com:443 HTTP/1.0" 503 299 "-" "-" 123.56.190.144 - - [29/May/2016:16:38:11 +0000] "POST http://ifacelog.iqiyi.com/api/vvlog.jsp HTTP/1.1" 200 2 "-" "QIYIVideo/7.4 (iOS;com.qiyi.iphone;iOS7.0.1;iPhone7,2) Corejar" 172.87.30.22 - - [29/May/2016:16:35:12 +0000] "CONNECT api.paypal.com:443 HTTP/1.0" 503 299 "-" "-" 81.94.192.58 - - [29/May/2016:16:38:11 +0000] "GET http://www.advinapps.com/ads-sync.js?v=1&key=fb5958979637170f68a7f021b69561d0&epmads_width=300&epmads_height=250&cIds=&adsCampaignKey=1464568661357&ch=www.fredericknewspost.com&click=&tz=-13&t=1464568690295&requestUrl=http%3A%2F%2Ffredericknewspost.com&flashVer=18.0%20r0&scrWidth=600&scrHeight=960 HTTP/1.1" 200 321 "fredericknewspost.com/article/780.html" "Mozilla/5.0 (Linux; Android 4.2.2; GT-I9505 Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.59 Mobile Safari/537.36" 81.94.192.50 - - [29/May/2016:16:38:11 +0000] "GET http://www.advinapps.com/impression.gif?b=282343&p=24300&ch=www.therepublic.com&dspPar=32&ap=0.104&cps=&c=11623&l=US&h=04536307c4821d3689234591fc91365a&t=1464539891555&s=f7b3eae7f818b290717990bcd6cdff70&tz=-13.0&sh=567&sw=360 HTTP/1.1" 200 49 "http://therepublic.com" "Mozilla/5.0 (iPhone; CPU iPhone OS 7_0 like Mac OS X; en-us) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A465 Safari/9537.53" 101.201.31.97 - - [29/May/2016:16:38:12 +0000] "GET http://www.xiami.com/count/playrecord?object_id=1776099904&ishq=0&sid=1776099904&object_name=default&t=1464539867265 HTTP/1.1" 401 - "http://img.xiami.net/static/swf/seiya/1.5/player.swf?v=1439737985865" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0" 144.52.174.222 - - [29/May/2016:16:38:11 +0000] "POST http://www.gifshow.com/rest/n/relation/follow HTTP/1.1" 200 29 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Alexa Toolbar)" 120.26.92.95 - - [29/May/2016:16:38:12 +0000] "CONNECT 112.126.84.66:15010 HTTP/1.1" 400 226 "-" "-" 172.87.30.80 - - [29/May/2016:16:35:12 +0000] "CONNECT api.paypal.com:443 HTTP/1.0" 503 299 "-" "-" 13.73.2.228 - - [29/May/2016:16:38:12 +0000] "CONNECT accounts.surfeasy.com:443 HTTP/1.0" 200 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" 101.201.47.133 - - [29/May/2016:16:38:12 +0000] "GET http://count.vrs.sohu.com/count/stat.do?videoId=2775476&tvid=82474211&playlistId=9084357&categoryId=16&catecode=115101;115102;115103;115104;115126&uid=14645398585291624242&plat=flash&os=Windows10&online=0&type=vrs&r=http%3A%2F%2Ftv.sohu.com%2F20151216%2Fn431509915.shtml&t=1464539858450.432&enc=LIO1B3nKHyIq5OHptFUVfuZnfeE%2BK8x7 HTTP/1.1" 200 16 "http://tv.sohu.com/20151216/n431509915.shtml" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" 122.224.11.135 - - [29/May/2016:16:38:12 +0000] "" 400 226 "-" "-" 122.224.11.135 - - [29/May/2016:16:38:11 +0000] "GET http://www.128pa.com/ HTTP/1.1" 200 214 "http://www.baidu.com" "Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)" 122.224.11.135 - - [29/May/2016:16:38:11 +0000] "GET http://www.128pa.com/ HTTP/1.1" 200 214 "http://www.baidu.com" "Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)" 81.94.192.58 - - [29/May/2016:16:38:12 +0000] "GET http://www.advinapps.com/no-impression.gif?p=24307&ch=www.fredericknewspost.com&l=US&h=cf5deb1084738a7e069f3bdc209b2193&t=1464568705404&s=0366da23730645ecda68bb0f08c99c2e&tz=-13.0&sh=960&sw=600 HTTP/1.1" 200 49 "fredericknewspost.com/article/780.html" "Mozilla/5.0 (Linux; Android 4.2.2; GT-I9505 Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.59 Mobile Safari/537.36" 123.56.199.198 - - [29/May/2016:16:38:11 +0000] "GET http://www.xiami.com/count/playrecord?object_id=1776099904&ishq=0&sid=1776099904&object_name=default&t=1464539866545 HTTP/1.1" 401 - "http://img.xiami.net/static/swf/seiya/1.5/player.swf?v=1439737985865" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0" 81.94.192.52 - - [29/May/2016:16:38:12 +0000] "GET http://www.advinapps.com/ads-sync.js?v=1&key=fa7fef2ba4e39c100ef0278e97b68be3&epmads_width=300&epmads_height=250&cIds=&adsCampaignKey=1464568694585&ch=www.economist.com&click=&tz=-13&t=1464568694812&requestUrl=http%3A%2F%2Feconomist.com&flashVer=18.0%20r0&scrWidth=412&scrHeight=659 HTTP/1.1" 200 691 "http://economist.com" "Mozilla/5.0 (iPhone; CPU iPhone OS 7_0 like Mac OS X; en-us) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A465 Safari/9537.53" 101.201.31.108 - - [29/May/2016:16:38:12 +0000] "GET http://vstat.v.blog.sohu.com/dostat.do?method=setVideoPlayCount&v=83593920&playlistId=&c=131128&vc=131128&uid=14645398803161561565&plat=flash&os=Windows10&online=0&type=my&o=292591044&r=http%3A%2F%2Fmy.tv.sohu.com%2Fus%2F292591044%2F83593920.shtml&time=1464539880698 HTTP/1.1" 200 6 "http://my.tv.sohu.com/us/292591044/83593920.shtml" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" 104.197.247.35 - - [29/May/2016:16:38:12 +0000] "GET http://www.realtimewebsite.com/js/rtws.js HTTP/1.1" 200 348 "http://www.freewebsitereport.org/www.cartoonetwork.com" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/4.0; .NET CLR 5.0.90556.2)" 81.94.192.52 - - [29/May/2016:16:38:13 +0000] "GET http://www.advinapps.com/no-impression.gif?p=24306&ch=www.economist.com&l=US&h=931f6fbc7b9b27deb6633049e4303daf&t=1464568695000&s=0366da23730645ecda68bb0f08c99c2e&tz=-13.0&sh=659&sw=412 HTTP/1.1" 200 49 "http://economist.com" "Mozilla/5.0 (iPhone; CPU iPhone OS 7_0 like Mac OS X; en-us) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A465 Safari/9537.53" 110.252.95.174 - - [29/May/2016:16:38:12 +0000] "POST http://180.186.38.200/rest/photo/like?lat=0&lon=0&ver=4.34&ud=169552143&sys=ANDROID_4.4.4&c=GENERIC&net=WIFI&did=ANDROID_33d055630e75dcf4&mod=iToolsAVM%28iToolsAVM%29&app=0&language=zh-cn&country_code=US HTTP/1.1" 200 37 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" 79.20.174.253 - - [29/May/2016:16:38:13 +0000] "GET http://video-edge-8273c0.ord02.hls.ttvnw.net/hls-6dbdec/forsenlol_21576028656_461001026/chunked/index-live.m3u8?token=id=7806820898711542541,bid=21576028656,exp=1464623765,node=video-edge-8273c0-1.ord02.hls.justin.tv,nname=video-edge-8273c0.ord02,fmt=chunked&sig=4c016ff3014314d55ebbf08798cbc18c9d008e77 HTTP/1.1" 200 422 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0" 104.197.247.35 - - [29/May/2016:16:38:13 +0000] "GET http://www.realtimewebsite.com/tp.tiff?ref=&host=freewebsitereport.org&path=%2Fwww.cartoonetwork.com&href=http%3A%2F%2Fwww.freewebsitereport.org%2Fwww.cartoonetwork.com&width=400&height=300&id=8046424910426 HTTP/1.1" 204 - "http://www.freewebsitereport.org/www.cartoonetwork.com" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/4.0; .NET CLR 5.0.90556.2)" 85.25.242.142 - - [29/May/2016:16:38:13 +0000] "GET http://www.amazon.de/gp/offer-listing/B00BT96PFK/ref=olp_tab_new?ie=UTF8&sr=8-1&condition=new HTTP/1.1" 400 226 "http://www.amazon.de/gp/offer-listing/B00BT96PFK/ref=olp_tab_all" "-" 108.61.123.138 - - [29/May/2016:16:38:13 +0000] "GET http://c2s.startappnetwork.com/c2s/1.3/htmlads?sdkType=10&sdkVersion=1.0.0&partner=103651863&prod=203453235&os=0&placement=&adw=320&adh=50 HTTP/1.1" 200 8398 "com.pubjts.CuteJam" "Mozilla/5.0 (Linux; U; Android 5.0.0; en-us; ASUS_T00F Build/JSS15Q) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"
這是一種已知類型的 DDOS 攻擊嗎,我的 apache 是如何接收來自的請求的
POST http://ifacelog.iqiyi.com/api/vvlog.jsp
,我的意思是域 iqiyi 不指向我的伺服器。更新#1
在建議人們將我的伺服器用作開放代理之後,我通過評論禁用了載入所有 apache 代理模組:
# This file configures all the proxy modules: #LoadModule proxy_module modules/mod_proxy.so #LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so #LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so #LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so #LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so #LoadModule proxy_ajp_module modules/mod_proxy_ajp.so #LoadModule proxy_balancer_module modules/mod_proxy_balancer.so #LoadModule proxy_connect_module modules/mod_proxy_connect.so #LoadModule proxy_express_module modules/mod_proxy_express.so #LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so #LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so #LoadModule proxy_http_module modules/mod_proxy_http.so #LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
但是,我的 access_log 文件仍然收到相同的可疑請求,當我禁用所有代理時,這怎麼可能發生。
最好的猜測是您錯誤地配置了您的 apache,它現在充當了一個開放代理(任何人都可以使用您的伺服器作為偽裝自己的代理)。我通過
CONNECT
方法請求以及許多實際傳遞的請求來猜測這一點。並通過包含完整 URL 的日誌。所以它不是 DDOS,而是你的伺服器出現在某種開放的代理列表上,想要偽裝自己的人可以隨意使用它。小心,因為如果它被濫用於犯罪活動,你可能會被追究責任。