Home / server / Questions / 534900
In Process
MrCarrot
Asked: 2013-08-30 09:07:00 +0800 CST

Denial of Service coming from Facebook IP addresses

  • 772

We have a website which appeared to suffer from a denial of service attack. There were several IP addresses involved and these were all registered to Facebook.

Here's an excerpt from the Apache log files:

173.252.73.119 - - [29/Aug/2013:14:22:14 +0100] "GET /blog/?s=224im089cz+pofmv90+4445u422bmw+5iaa1nxh4j1+ppabi%2Gjewl_biochemist++ HTTP/1.1" 200 179 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"

As you can see the requested URL is valid but contains a gibberish query string. There are hundreds of such requests per second.

I am thinking that both the IP address and the referrer are faked. Even if the above URL had been posted/shared on Facebook it wouldn't explain all of the other thousands of random requests coming from the same IP address and referrer.

Whilst we could block the IP address via our firewall there are other IP addresses being used (all registered to Facebook), and we don't want to block Facebook if they're not actually responsible.

Are the source of these attacks likely to be coming from elsewhere and how can we mitigate against them?

apache-2.2

2 Answers

  1. Those hits are when Facebook queries your server to grab images or text excerpts, to name a few things. If a link was posted and went viral, for example, it'd be loaded by every view of said link. You can contact [email protected] so they can look at it and maybe determine if the links are actually valid.

    Note that this isn't a denial of service attack, but your server being unable to cope with an influx of traffic. Denial of Service attacks would serve nothing more than to make your site unusable, while this is just a busy server.

    • 5

  2. I don't think it's facebook.

    Have you tried to access exactly this URI - it may also be that the server is compromised and that in fact there is something listening here. You get a HTTP status 100 here - something is going on - this is not a File not Found.

    And please look at it deeply - if you have a webshell installed it is hidden. Look here near the end on how this could look like: http://daniel-khan.at/index.php/2013/05/12/webserver-attack-deconstructed/

    In all other cases (this is really a bogus URI pointing to nothing):

    If you get really many hits you can use iptables with limit http://thelowedown.wordpress.com/2008/07/03/iptables-how-to-use-the-limits-module/

    If blog isn't a valid path at all try to block it in .htaccess

    <Directory /blogn>
Order Deny,Allow
Deny from all
</Directory>

    This way the server will not get too much load and the bots get tired maybe.

    • 0