Hi there,
since last week we´ve got a little problem with our Webserverfarm.
We get some strange Request from some Dial-Up Accounts from Europe
(T-Online; Telefonica; Orange...):
Sep 21 22:47:35 logger: [Sun Sep 21 22:47:35 2008] [error] [client
87.183.65.xx] Invalid URI in request GET 347905 HTTP/1.0 Sep 21 22:47:35
logger: [Sun Sep 21 22:47:35 2008] [error] [client 87.183.65.xx] Invalid
URI in request GET 341922 HTTP/1.0
This strange Request (GET 347905 HTTP/1.0 ) pass our Firewall (because
it´s normal HTTP), goes to our Load balancer and then to our Webserver.
Only 1 Client make about 80-100 strange Request per Minute and we get a
peak on our Webserverfarm and finally after 5 Minutes the Webserver(s)
get out of memory:
Out of Memory: Kill process 12082 (apache) score 199722 and children.
Out of memory: Killed process 19435 (apache).
If we get a "DDOS" we make a tcpdump and count the IPs (maximum 8 Dial Up
Accounts) to block them on our Firewall.
I don´t find any about this strange request on Google or some security
boards.
Is this a new kind of DDOS or just kiddy stuff? If someone have some more
information about this strange Request/DDOS it would be very nice if he
can send this to me.
Kind Regards
--
Andre Braun, IT Manager
Turtle Entertainment GmbH