someone connecting over and over with different IP each time

Portal Home > Knowledgebase > Articles Database > someone connecting over and over with different IP each time

Posted by Premier, 01-21-2010, 06:48 PM
Someone is flooding my log file with entries like this: It's always 4 entries exactly the same within 1 second, then anywhere from 5 to 30 minutes later 4 more entries. The IP is different for every group of 4, but is always from China. It's been going for 2 days now. I can't block the IPs or even ranges because he's already used IPs from about 200 different ranges. I think he's trying to download the video repeatedly but from my error log I can see that for some reason at his end the URL is terminating at the space so he's only trying to get a file called Ryan. (from error_log) I stopped the 404 errors by creating a blank file called Ryan. Here is the domlog result after that change: So I stopped the 404 which cuts log entries in half, but he's still going. Is there some way I can crash his "browser" to stop this? Has anyone else experienced this? Does anyone have any idea what this is all about? Is there a website or page to redirect him to where they can do something about it?
Posted by madaboutlinux, 01-22-2010, 06:51 AM
Pretty difficult to block such requests as they are coming from different subnets and "GET /uploads/5321/Ryan Bradley" is the valid string they are trying to retrieve. Had they been trying an invalid i.e. a non-existent string, we could have easily blocked it using iptables. You can also block all Chinese subnets if they are really causing problems and if you are not drawing any real business from their. BTW, this is the last option if you really want to get rid of those requests coming from China.
Posted by bvsonline, 01-22-2010, 12:58 PM
You can try installing mod_evasive for apache. mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack.
Posted by shawn_linux, 01-22-2010, 03:20 PM
Install mod_security they are for apache itself. Also make secure your csf has strong rules to avoid such issues.
Posted by khunj, 01-22-2010, 04:57 PM
You can block the "Ryan" request, probably with a simple regex ( ^/uploads/5321/Ryan$ ) using .htaccess or mod_security. This problem comes from a bot/script, not a browser. A browser would use URL encoding instead of a plain space. A browser request : GET /uploads/5321/Ryan%20Bradley%20 ... A (stupid) bot request : GET /uploads/5321/Ryan Bradley ... The second one will always fail (404 error).
Posted by Premier, 01-22-2010, 06:23 PM
Thanks everyone. I've changed to using htaccess, but that still lets the bot keep attempting. I did more log file searching and it looks like he's trying different videos, and downloading a video several times in a few seconds. Did that a few times with a couple different videos. They must be working from a data center to have speeds like that. I'm looking into mod_security and mod_evasive now. I'm also thinking it might be time to change how the website works and make it require signing up to upload or download, then I could just monitor the activity by user and block access to a user if needed. Anyone have any idea how this guy is using hundreds of different IPs from different IP blocks from China? Can proxy servers actually use hundreds of different IP blocks?
Posted by limilaw, 04-27-2014, 01:42 AM
This UA string belongs to Thunder Downloader (aka Xunlei http://en.wikipedia.org/wiki/Xunlei), a Chinese download manager. One of the numerous nasty things it does is that it provides direct download link to resources. For example, Anna visits your page and downloads justin-bieber-baby.mp4 with Xunlei. Xunlei saves the file url and hash value on its server. Next day, Betty downloads B~A~B~Y.mp4 from another site using Xunlei, Xunlei also saves the file url and hash value. Now Xunlei knows these two files are identical. On the third day, when Cathy downloads B~A~B~Y.mp4 from that site, Xunlei also downloads part of the file from your site (using your site as an accelerator). That means, Cathy doesn't visit your website, yet you'll have to provide bandwidth for her. Imagine a popular file (~100MB) which millions of people(*1) want to download. It could cost you ~100GB bandwidth but brought to you only one visitor. *1: Xunlei has ~400 million users by 2012. btw, Xunlei is planning for an IPO on NASDAQ. http://www.nasdaq.com/markets/ipos/c...d-857196-67361

Add to Favourites Print this Article