在我的網路伺服器上獲得了很多點擊,它正在關閉我的 httpd。可能的 DDoS?
我在我的伺服器上獲得了很多點擊。這台伺服器通常幾乎沒有流量,但每次我恢復伺服器時都會有持續的點擊。我首先收到以下錯誤,
ip_conntrack: table full, dropping packet
然後遲早我的 httpd 記憶體不足,我的伺服器變得無響應。關於如何解決它的任何想法?我的 access_log 的最新負責人。我把http改成hxxp
122.193.164.5 - - [27/Mar/2011:23:48:35 -0700] "GET hxxp://pubs.acs.org/templates/jsp/_style2/_achs/css/atypon-main.css HTTP/1.0" 200 174299 "hxxp://pubs.acs.org/doi/abs/10.1021/ac100095u" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)"
218.29.188.217 - - [27/Mar/2011:23:48:38 -0700] "GET hxxp://rotator.adjuggler.com/servlet/ajrotator/913831/0/vh?ajecscp=1301294917498&z=pdn&dim=753179&kw=&click=<http://ad.yieldads.com/clk?2,13%3B5900475f5cba1a74%3B12efb38a54b,0%3B%3B%3B1304299909,cl1GAPp3GABp04QAAAAAAEfOIQAAAAAAAgAAAAIAAAAAAP8AAAABGF1nJgAAAAAAJ6sXAAAAAAD1YSwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAn.A8AAAAAAAIAAwAAAAAAS6U4-y4BAAAAAAAAADY2ZjM3ZGE0LTU5MDctMTFlMC04MzUwLTAwMzA0OGQ3MjBhOABmlSoAAAA=,,http%3A%2F%2Fwww.healthcarefinancenews.com%2F>, HTTP/1.0" 200 1181 "<http://ad.yieldmanager.com/iframe3?cl1GAPp3GABp04QAAAAAAEfOIQAAAAAAAgAAAAIAAAAAAP8AAAABGF1nJgAAAAAAJ6sXAAAAAAD1YSwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAn.A8AAAAAAAIAAwAAAAAAwMqhRbbzxT.AyqFFtvPFP1yPwvUoXM8.XI.C9Shczz9mZmZmZmbWP2ZmZmZmZtY.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbr8TXwhPZCb-NEWYczMEV.VtRMDgbQFgGd6CwAAAAAA==,,http%3A%2F%2Fwww.healthcarefinancenews.com%2F,Z%3D300x250%26s%3D1603578%26_salt%3D954499605%26B%3D12%26m%3D2%26u%3Dhttp%253A%252F%252Fwww.healthcarefinancenews.com%252F%26r%3D1,66f37da4-5907-11e0-8350-003048d720a8>" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040206 Firefox/0.8"
117.41.182.55 - - [27/Mar/2011:23:48:38 -0700] "GET hxxp://www5.tellgames.com/media/games/images/tellgames/120x90/02470dca7676598b9381e4c5dc2eef05.jpg HTTP/1.0" 200 4883 "<http://us.tellgames.com/index.php?category=17&sortby=play&referer=ad2games>" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
117.41.186.191 - - [27/Mar/2011:23:48:37 -0700] "GET hxxp://s0.2mdn.net/1361550/K2147_NBRD_FYEA_728.jpg HTTP/1.0" 200 41371 "hxxp://ad.doubleclick.net/adi/N3340.161249.ADNETIK.COM/B5252096.3;sz=728x90;click=<http://ad.z5x.net/clk?2,13%3B6b9391cec2a21533%3B12efb389ce8,0%3B%3B%3B2955295377,s5mFAKglGQBtfoAAAAAAAJJyIQAAAAAAAgAAAAYAAAAAAP8AAAABGB5.JwAAAAAAd0IfAAAAAABy8CsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABdhBAAAAAAAAIAAwAAAAAA6Jw4-y4BAAAAAAAAADY1YTAxMzY4LTU5MDctMTFlMC1iMTJmLTAwMzA0OGQ3NTRlMABwpioAAAA=,,http%3A%2F%2Fwww.providesearch.com%2F,;pc=[TPAS_ID];ord=[timestamp]>" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040614 Firefox/0.9"
173.252.208.155 - - [27/Mar/2011:23:48:38 -0700] "GET hxxp://ads.smowtion.com/st?ad_size=160x600§ion=1739112 HTTP/1.0" 200 1336 "hxxp://www.consumerhealthdigest.info/category/health-information" "Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.4) Gecko/20030701"
61.139.105.162 - - [27/Mar/2011:23:48:38 -0700] "GET hxxp://therugged.com/wp-content/uploads/2011/01/Steph61-80x53.jpg HTTP/1.0" 200 2980 "hxxp://www.therugged.com/category/lifestyle#player" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.1) Gecko/2008070206 Firefox/3.0.1"
這些域是您託管的嗎?我懷疑不是。
最近我發現在我的機器上掃描開放式 http 代理有很大的增加——看起來你可能會執行一個開放式 http 代理(這和執行一個開放式郵件中繼一樣糟糕——甚至更糟,因為大多數人現在都實現 carious RBL 和 SPF 等緩解措施)。
禁用代理/添加身份驗證/限製到您的 LAN 地址。
OTOH,如果您真的是所有這些域的網站管理員,那麼請查看 mod_evasive 和 mod_security。
從時間戳上看,它的命中率似乎不是很高,但從 IP 上看,它似乎來自世界各地。大多數網路伺服器應該能夠每秒處理幾次點擊。但是,您可以嘗試一些方法來緩解您的問題。
- 如果其中一些連接通過保持打開的連接來阻塞連接,則可以減少每個連接的保持活動超時。
- 通過減少偵聽程序和執行緒的最大數量來檢查您的 httpd 是否沒有消耗太多記憶體。
- 將您的網路伺服器停放在像清漆/磅這樣的反向代理後面,並在邊緣過濾目標連接,立即丟棄無效連接。
- 增強您的伺服器以能夠處理更多的連接。定期使用siege或apache bench進行測試,以確保您可以處理合理的負載。