Is this some kind of DoS attack?

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Anti-Spam Guide
Post Reply
Albert Wiersch
Registered User
Posts: 145
Joined: Sat Dec 11, 2004 6:00 pm
Location: Dallas, TX
Name: Albert Wiersch
Contact:

Is this some kind of DoS attack?

Post by Albert Wiersch » Sat Jun 29, 2019 12:39 am

I've been getting many requests on phpBB from various IP addresses that have spiked my CPU and made my entire website slow to respond.

The requests seem to all have an "sid" in them (and the same "sid" even though they are from various IPs)... and many of them they claim they are from an old version of Firefox, like version 24.0 or 33.

My server admin was able to use fail2ban to block a lot of these requests and that seems to be helping a lot.

I was wondering if anyone knew what is going on with them... and if anyone can confirm they are indeed an attack. I don't see how they could be legit.

Below is an example of the kind of requests I'm talking about.

Code: Select all

107.174.38.203 - - [24/Jun/2019:17:09:44 -0500] "GET /CSEForum/viewforum.php?f=2&sid=7513fa63c93d81e79e04fca0738f0f94&start=50 HTTP/1.1" 200 118001 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
107.175.110.106 - - [24/Jun/2019:17:09:46 -0500] "GET /CSEForum/viewforum.php?f=2&sid=7513fa63c93d81e79e04fca0738f0f94&start=300 HTTP/1.1" 200 68706 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
104.144.203.118 - - [24/Jun/2019:17:09:46 -0500] "GET /CSEForum/viewforum.php?f=2&sid=7513fa63c93d81e79e04fca0738f0f94&start=200 HTTP/1.1" 200 117085 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
107.174.252.60 - - [24/Jun/2019:17:09:46 -0500] "GET /CSEForum/viewforum.php?f=2&sid=7513fa63c93d81e79e04fca0738f0f94&start=150 HTTP/1.1" 200 118503 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
107.172.95.104 - - [24/Jun/2019:17:09:48 -0500] "GET /CSEForum/memberlist.php?mode=viewprofile&u=2&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 12106 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
138.128.50.93 - - [24/Jun/2019:17:09:48 -0500] "GET /CSEForum/viewtopic.php?f=6&t=2967&p=11921&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 22101 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
104.168.100.183 - - [24/Jun/2019:17:09:48 -0500] "GET /CSEForum/viewtopic.php?f=6&t=2967&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 22101 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
198.144.180.154 - - [24/Jun/2019:17:09:51 -0500] "GET /CSEForum/viewforum.php?f=6&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 117172 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
107.173.182.251 - - [24/Jun/2019:17:09:51 -0500] "GET /CSEForum/viewtopic.php?f=2&t=888&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 57744 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
107.173.202.146 - - [24/Jun/2019:17:09:53 -0500] "GET /CSEForum/viewtopic.php?f=2&t=904&p=4098&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 25141 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
23.229.63.219 - - [24/Jun/2019:17:09:53 -0500] "GET /CSEForum/viewtopic.php?f=2&t=888&p=4100&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 57744 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
107.175.110.106 - - [24/Jun/2019:17:09:53 -0500] "GET /CSEForum/memberlist.php?mode=viewprofile&u=1280&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 12109 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
107.174.38.211 - - [24/Jun/2019:17:09:54 -0500] "GET /CSEForum/memberlist.php?mode=viewprofile&u=1256&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 12109 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
104.144.227.65 - - [24/Jun/2019:17:09:56 -0500] "GET /CSEForum/viewtopic.php?f=2&t=904&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 25141 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
198.46.199.119 - - [24/Jun/2019:17:09:56 -0500] "GET /CSEForum/viewtopic.php?f=2&t=894&p=4065&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 39175 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
198.144.180.154 - - [24/Jun/2019:17:09:56 -0500] "GET /CSEForum/viewtopic.php?f=2&t=894&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 39175 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
23.229.63.219 - - [24/Jun/2019:17:09:57 -0500] "GET /CSEForum/memberlist.php?mode=viewprofile&u=1260&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 11052 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
104.144.145.158 - - [24/Jun/2019:17:09:56 -0500] "GET /CSEForum/viewtopic.php?f=2&t=903&p=4097&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 25393 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
107.174.38.203 - - [24/Jun/2019:17:09:57 -0500] "GET /CSEForum/viewtopic.php?f=2&t=903&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 25393 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
104.168.100.183 - - [24/Jun/2019:17:09:58 -0500] "GET /CSEForum/viewtopic.php?f=2&t=892&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 26146 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
104.144.203.118 - - [24/Jun/2019:17:09:59 -0500] "GET /CSEForum/viewtopic.php?f=2&t=892&p=4060&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 26146 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
23.229.63.219 - - [24/Jun/2019:17:10:02 -0500] "GET /CSEForum/viewtopic.php?f=2&t=802&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 73970 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
198.46.199.119 - - [24/Jun/2019:17:10:02 -0500] "GET /CSEForum/memberlist.php?mode=viewprofile&u=638&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 12108 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
107.174.252.60 - - [24/Jun/2019:17:10:02 -0500] "GET /CSEForum/viewtopic.php?f=2&t=887&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 28016 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
104.144.145.158 - - [24/Jun/2019:17:10:02 -0500] "GET /CSEForum/memberlist.php?mode=viewprofile&u=1259&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 12109 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
198.144.180.154 - - [24/Jun/2019:17:10:03 -0500] "GET /CSEForum/memberlist.php?mode=viewprofile&u=196&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 12108 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
107.175.110.106 - - [24/Jun/2019:17:10:02 -0500] "GET /CSEForum/viewtopic.php?f=2&t=887&p=4037&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 28016 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
107.173.182.251 - - [24/Jun/2019:17:10:07 -0500] "GET /CSEForum/viewtopic.php?f=2&t=807&p=4003&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 30548 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
107.174.38.203 - - [24/Jun/2019:17:10:07 -0500] "GET /CSEForum/memberlist.php?mode=viewprofile&u=765&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 12108 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
107.174.38.211 - - [24/Jun/2019:17:10:08 -0500] "GET /CSEForum/viewtopic.php?f=2&t=807&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 30548 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
198.46.236.181 - - [24/Jun/2019:17:10:09 -0500] "GET /CSEForum/viewtopic.php?f=2&t=802&p=4031&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 38663 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
198.46.199.119 - - [24/Jun/2019:17:10:10 -0500] "GET /CSEForum/memberlist.php?mode=viewprofile&u=1236&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 12109 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
107.172.95.104 - - [24/Jun/2019:17:10:10 -0500] "GET /CSEForum/viewtopic.php?f=2&t=802&sid=7513fa63c93d81e79e04fca0738f0f94&start=15 HTTP/1.1" 200 38663 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
192.210.167.234 - - [24/Jun/2019:17:10:12 -0500] "GET /CSEForum/viewtopic.php?f=2&t=863&p=4000&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 25316 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
138.128.50.93 - - [24/Jun/2019:17:11:09 -0500] "GET /CSEForum/viewtopic.php?f=2&t=877&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 31901 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
198.46.199.119 - - [24/Jun/2019:17:11:09 -0500] "GET /CSEForum/viewtopic.php?f=2&t=877&p=3994&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 31901 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
23.229.63.219 - - [24/Jun/2019:17:11:13 -0500] "GET /CSEForum/memberlist.php?mode=viewprofile&u=1246&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 12109 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
198.20.174.84 - - [24/Jun/2019:17:11:13 -0500] "GET /CSEForum/memberlist.php?mode=viewprofile&u=1238&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 12109 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
104.144.145.158 - - [24/Jun/2019:17:11:13 -0500] "GET /CSEForum/viewtopic.php?f=2&t=865&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 64524 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
107.174.38.203 - - [24/Jun/2019:17:11:13 -0500] "GET /CSEForum/viewtopic.php?f=2&t=865&p=3992&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 64524 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
198.46.199.119 - - [24/Jun/2019:17:11:13 -0500] "GET /CSEForum/viewtopic.php?f=2&t=868&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 29979 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
104.144.227.65 - - [24/Jun/2019:17:11:15 -0500] "GET /CSEForum/memberlist.php?mode=viewprofile&u=1239&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 12109 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
107.175.110.106 - - [24/Jun/2019:17:11:15 -0500] "GET /CSEForum/viewtopic.php?f=2&t=868&p=3988&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 29979 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
107.174.252.60 - - [24/Jun/2019:17:11:15 -0500] "GET /CSEForum/viewtopic.php?f=2&t=873&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 25827 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
104.144.145.158 - - [24/Jun/2019:17:11:18 -0500] "GET /CSEForum/viewtopic.php?f=2&t=873&p=3987&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 25827 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
107.174.38.211 - - [24/Jun/2019:17:11:18 -0500] "GET /CSEForum/viewtopic.php?f=2&t=876&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 25660 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
107.174.252.60 - - [24/Jun/2019:17:11:20 -0500] "GET /CSEForum/viewtopic.php?f=2&t=876&p=3986&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 25660 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
192.210.167.234 - - [24/Jun/2019:17:11:21 -0500] "GET /CSEForum/memberlist.php?mode=viewprofile&u=1248&sid=7513fa63c93d81e79e04fca0738f0f94 HTTP/1.1" 200 12109 "https://www.htmlvalidator.com/CSEForum/viewforum.php?f=2&start=100" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"

User avatar
</Solidjeuh>
Registered User
Posts: 1602
Joined: Tue Mar 29, 2016 3:45 am
Location: Aalst (Belgium)
Name: Andy Dm
Contact:

Re: Is this some kind of DoS attack?

Post by </Solidjeuh> » Sat Jun 29, 2019 12:44 am

Do you have some kind of "htmlvalidator" that auto checked your files?
Seems to come from htmlvalidator.com
Register a free account & Play!!
~~~ https://www.solidjeuh.be ~~~
Have a secret? --> https://www.tellyoursecrets.eu

Albert Wiersch
Registered User
Posts: 145
Joined: Sat Dec 11, 2004 6:00 pm
Location: Dallas, TX
Name: Albert Wiersch
Contact:

Re: Is this some kind of DoS attack?

Post by Albert Wiersch » Sat Jun 29, 2019 12:51 am

</Solidjeuh> wrote:
Sat Jun 29, 2019 12:44 am
Do you have some kind of "htmlvalidator" that auto checked your files?
Seems to come from htmlvalidator.com
My website is htmlvalidator.com but I am not running any site checker that is causing those requests.... and if it was some type of site checker, why are the requests from so many different IPs with the same "sid"? Doesn't make sense to me.

User avatar
</Solidjeuh>
Registered User
Posts: 1602
Joined: Tue Mar 29, 2016 3:45 am
Location: Aalst (Belgium)
Name: Andy Dm
Contact:

Re: Is this some kind of DoS attack?

Post by </Solidjeuh> » Sat Jun 29, 2019 12:55 am

Oh sorry.. it's late here :lol:
It could be a "bad bot", do you see those IP's in viewonline.php ?
If it's a bot, you can block it via htaccess
Register a free account & Play!!
~~~ https://www.solidjeuh.be ~~~
Have a secret? --> https://www.tellyoursecrets.eu

Albert Wiersch
Registered User
Posts: 145
Joined: Sat Dec 11, 2004 6:00 pm
Location: Dallas, TX
Name: Albert Wiersch
Contact:

Re: Is this some kind of DoS attack?

Post by Albert Wiersch » Sat Jun 29, 2019 1:00 am

</Solidjeuh> wrote:
Sat Jun 29, 2019 12:55 am
Oh sorry.. it's late here :lol:
It could be a "bad bot", do you see those IP's in viewonline.php ?
If it's a bot, you can block it via htaccess
No problem.

I should have checked viewonline.php that but it didn't occur to me since I never use that feature.

If it's a bot, then shouldn't it say so in the log entry (in the user agent string)? Unless it malicious of course.

Fortunately the fail2ban program/solution seems to be automatically blocking a lot of IPs that are making similar requests (it blocks IPs with 3 forum page requests with an "sid" in less than a minute... fortunately the different IPs do not seem to be so varied that this method won't work)... so I am not seeing anything now when I look at viewonline.php.

By the way, this activity would often seem to come and go in spurts of less severity and more severity.

User avatar
</Solidjeuh>
Registered User
Posts: 1602
Joined: Tue Mar 29, 2016 3:45 am
Location: Aalst (Belgium)
Name: Andy Dm
Contact:

Re: Is this some kind of DoS attack?

Post by </Solidjeuh> » Sat Jun 29, 2019 1:07 am

I just checked a few IP's, and it seems indeed some kind of "attack".
See:

http://stopforumspam.com/ipcheck/107.175.110.106
https://cleantalk.org/blacklists/104.144.203.112
https://cleantalk.org/blacklists/107.173.182.242

Let's wait on some help here that knows what to do ;)

IP's can be blocked via htaccess, but that's not the best solution I guess

Code: Select all

Order Deny,Allow
Deny from 107.174.38.203
Deny from 107.175.110.106
Deny from 107.174.252.60
Deny from 107.173.182.251
Register a free account & Play!!
~~~ https://www.solidjeuh.be ~~~
Have a secret? --> https://www.tellyoursecrets.eu

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3217
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Is this some kind of DoS attack?

Post by thecoalman » Sat Jun 29, 2019 1:14 am

I would suggest that is entirely too slow for DDOS attack, slow attacks happen where the intention is to slow a site down but most servers wouldn't even blink with that rate of requests. In comparison a DDOS attack on my site I had on average 2000 http request per second for a week. :o

This probably a rogue bot scraping the site or whatever....

Albert Wiersch
Registered User
Posts: 145
Joined: Sat Dec 11, 2004 6:00 pm
Location: Dallas, TX
Name: Albert Wiersch
Contact:

Re: Is this some kind of DDoS attack?

Post by Albert Wiersch » Sat Jun 29, 2019 1:21 am

Thanks for those links. I was looking for confirmation of some type of attack. I certainly don't want to block any legitimate requests.

I've already found a solution that seems to be working - using fail2ban to automatically block IPs. It's been in use less than 24 hours but it seems to be working very well. The CPU usage is way down... but if anyone knows a better solution or can shed more light on what is going on then I would love to hear it.

As for the speed of the "attack". I agree that the requests are rather slow for a "real" DDoS attack. I'm using a Linode machine running Debian Linux with 2 CPUs and 4GB RAM but the CPUs are shared so who knows how many requests my system can handle at a time... unfortunately it was definitely slowing down the server response when there were just a few requests every few seconds.

But now that the "fail2ban" solution is working, my server is really snappy again.

UPDATE: In case anyone is interested, here is the fail2ban filter that I'm using in /etc/fail2ban/filter.d/httpd.conf:

Code: Select all

[Definition]
failregex = ^<HOST> - - \[\] "GET /CSEForum/\S+\.php\S+sid=.*"$
And the relevent part in /etc/fail2ban/jail.local to block the IPs for 2 hours (7200 seconds):

Code: Select all

[httpd]
enabled  = true
filter   = httpd
bantime  = 7200
findtime = 60
maxretry = 3
action   = ban
logpath  = /var/log/apache2/access.log

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3217
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Is this some kind of DDoS attack?

Post by thecoalman » Sat Jun 29, 2019 10:06 am

Albert Wiersch wrote:
Sat Jun 29, 2019 1:21 am
I certainly don't want to block any legitimate requests.
I only checked a few of them but they are all data centers, it's possible to have legitimate users from sources like that occasionally but generally speaking nearly all traffic from sources like that would be bots. In your case since you have multiple bots requesting same SID.

... but if anyone knows a better solution


I don't use fail2ban but it apparently uses the firewall, outside of a proxy service like Cloudlfare that can prevent such requests from ever reaching the server at all you can't improve the performance of blocking those requests.

or can shed more light on what is going on then I would love to hear it.
One technique I read about is where they try and keep the connection open for each request as long as possible. If you have CSF and look in the settings there is options to prevent this but some of those options can potentially block legitimate users. Generally speaking you would deploy those rules when a site is under attack. You can also research tiemout, keepalive in httpd.conf etc.

https://httpd.apache.org/docs/trunk/mis ... s.html#dos

If this is DDOS attack it's not random, one statistic I read is something like 2/3 of sites that experience a DDOS will be hit by another one in a week. There are attacks that can overwhelm firewalls, things like fail2ban and CSF profiles can only help mitigate them. They won't stop them.
UPDATE: In case anyone is interested, here is the fail2ban filter that I'm using in /etc/fail2ban/filter.d/httpd.conf:
The SID will appear in links on first page load after the session has expired. I'm assuming the findtime directive is to only scan entries over the last 60 minutes, make sure your session length is at least 3600 seconds. Additionally If any of your users are blocking cookies the SID is always going to present in the URL and they will get blocked.

Albert Wiersch
Registered User
Posts: 145
Joined: Sat Dec 11, 2004 6:00 pm
Location: Dallas, TX
Name: Albert Wiersch
Contact:

Re: Is this some kind of DDoS attack?

Post by Albert Wiersch » Sat Jun 29, 2019 2:49 pm

thecoalman wrote:
Sat Jun 29, 2019 10:06 am
The SID will appear in links on first page load after the session has expired. I'm assuming the findtime directive is to only scan entries over the last 60 minutes, make sure your session length is at least 3600 seconds. Additionally If any of your users are blocking cookies the SID is always going to present in the URL and they will get blocked.
Thanks for the info & feedback.

The findtime is 60 seconds so that if there are 3 or more matching requests within 60 seconds it will ban the IP.

How many people block cookies nowadays? I suppose a legit user could get banned if they are not using cookies and make 3 matching requests within 60 seconds. I think that would be very rare though.

Now my main question is who/what is making these requests and why? I'd love to know. Anyone want to speculate on this?

Post Reply

Return to “phpBB Discussion”