Home / server / Questions / 779708
Accepted
Yehia A.Salam
Asked: 2016-05-30 08:44:51 +0800 CST

DDOS Attack without Matching Virtual Hosts

  • 772

I'm getting very weird kind of DDOS attacks, the server is flooded with requests however the problem is, when going through the access log, is im getting different requests to non-existent domains and hosts on my server, something that goes along the lines:

101.201.47.133 - - [29/May/2016:16:38:11 +0000] "POST http://ifacelog.iqiyi.com/api/vvlog.jsp HTTP/1.1" 200 2 "-" "QIYIVideo/7.4 (iOS;com.qiyi.iphone;iOS8.0.1;iPhone5,4) Corejar"
81.94.192.52 - - [29/May/2016:16:38:11 +0000] "GET http://www.advinapps.com/ads-sync.js?v=1&key=fa7fef2ba4e39c100ef0278e97b68be3&epmads_width=300&epmads_height=250&cIds=&adsCampaignKey=1464568684537&ch=www.economist.com&click=&tz=-13&t=1464568684812&requestUrl=http%3A%2F%2Feconomist.com&flashVer=18.0%20r0&scrWidth=412&scrHeight=659 HTTP/1.1" 200 691 "http://economist.com" "Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4"
172.87.28.13 - - [29/May/2016:16:35:12 +0000] "CONNECT api.paypal.com:443 HTTP/1.0" 503 299 "-" "-"
123.56.190.144 - - [29/May/2016:16:38:11 +0000] "POST http://ifacelog.iqiyi.com/api/vvlog.jsp HTTP/1.1" 200 2 "-" "QIYIVideo/7.4 (iOS;com.qiyi.iphone;iOS7.0.1;iPhone7,2) Corejar"
172.87.30.22 - - [29/May/2016:16:35:12 +0000] "CONNECT api.paypal.com:443 HTTP/1.0" 503 299 "-" "-"
81.94.192.58 - - [29/May/2016:16:38:11 +0000] "GET http://www.advinapps.com/ads-sync.js?v=1&key=fb5958979637170f68a7f021b69561d0&epmads_width=300&epmads_height=250&cIds=&adsCampaignKey=1464568661357&ch=www.fredericknewspost.com&click=&tz=-13&t=1464568690295&requestUrl=http%3A%2F%2Ffredericknewspost.com&flashVer=18.0%20r0&scrWidth=600&scrHeight=960 HTTP/1.1" 200 321 "fredericknewspost.com/article/780.html" "Mozilla/5.0 (Linux; Android 4.2.2; GT-I9505 Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.59 Mobile Safari/537.36"
81.94.192.50 - - [29/May/2016:16:38:11 +0000] "GET http://www.advinapps.com/impression.gif?b=282343&p=24300&ch=www.therepublic.com&dspPar=32&ap=0.104&cps=&c=11623&l=US&h=04536307c4821d3689234591fc91365a&t=1464539891555&s=f7b3eae7f818b290717990bcd6cdff70&tz=-13.0&sh=567&sw=360 HTTP/1.1" 200 49 "http://therepublic.com" "Mozilla/5.0 (iPhone; CPU iPhone OS 7_0 like Mac OS X; en-us) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A465 Safari/9537.53"
101.201.31.97 - - [29/May/2016:16:38:12 +0000] "GET http://www.xiami.com/count/playrecord?object_id=1776099904&ishq=0&sid=1776099904&object_name=default&t=1464539867265 HTTP/1.1" 401 - "http://img.xiami.net/static/swf/seiya/1.5/player.swf?v=1439737985865" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0"
144.52.174.222 - - [29/May/2016:16:38:11 +0000] "POST http://www.gifshow.com/rest/n/relation/follow HTTP/1.1" 200 29 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Alexa Toolbar)"
120.26.92.95 - - [29/May/2016:16:38:12 +0000] "CONNECT 112.126.84.66:15010 HTTP/1.1" 400 226 "-" "-"
172.87.30.80 - - [29/May/2016:16:35:12 +0000] "CONNECT api.paypal.com:443 HTTP/1.0" 503 299 "-" "-"
13.73.2.228 - - [29/May/2016:16:38:12 +0000] "CONNECT accounts.surfeasy.com:443 HTTP/1.0" 200 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
101.201.47.133 - - [29/May/2016:16:38:12 +0000] "GET http://count.vrs.sohu.com/count/stat.do?videoId=2775476&tvid=82474211&playlistId=9084357&categoryId=16&catecode=115101;115102;115103;115104;115126&uid=14645398585291624242&plat=flash&os=Windows10&online=0&type=vrs&r=http%3A%2F%2Ftv.sohu.com%2F20151216%2Fn431509915.shtml&t=1464539858450.432&enc=LIO1B3nKHyIq5OHptFUVfuZnfeE%2BK8x7 HTTP/1.1" 200 16 "http://tv.sohu.com/20151216/n431509915.shtml" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
122.224.11.135 - - [29/May/2016:16:38:12 +0000] "" 400 226 "-" "-"
122.224.11.135 - - [29/May/2016:16:38:11 +0000] "GET http://www.128pa.com/ HTTP/1.1" 200 214 "http://www.baidu.com" "Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)"
122.224.11.135 - - [29/May/2016:16:38:11 +0000] "GET http://www.128pa.com/ HTTP/1.1" 200 214 "http://www.baidu.com" "Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)"
81.94.192.58 - - [29/May/2016:16:38:12 +0000] "GET http://www.advinapps.com/no-impression.gif?p=24307&ch=www.fredericknewspost.com&l=US&h=cf5deb1084738a7e069f3bdc209b2193&t=1464568705404&s=0366da23730645ecda68bb0f08c99c2e&tz=-13.0&sh=960&sw=600 HTTP/1.1" 200 49 "fredericknewspost.com/article/780.html" "Mozilla/5.0 (Linux; Android 4.2.2; GT-I9505 Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.59 Mobile Safari/537.36"
123.56.199.198 - - [29/May/2016:16:38:11 +0000] "GET http://www.xiami.com/count/playrecord?object_id=1776099904&ishq=0&sid=1776099904&object_name=default&t=1464539866545 HTTP/1.1" 401 - "http://img.xiami.net/static/swf/seiya/1.5/player.swf?v=1439737985865" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0"
81.94.192.52 - - [29/May/2016:16:38:12 +0000] "GET http://www.advinapps.com/ads-sync.js?v=1&key=fa7fef2ba4e39c100ef0278e97b68be3&epmads_width=300&epmads_height=250&cIds=&adsCampaignKey=1464568694585&ch=www.economist.com&click=&tz=-13&t=1464568694812&requestUrl=http%3A%2F%2Feconomist.com&flashVer=18.0%20r0&scrWidth=412&scrHeight=659 HTTP/1.1" 200 691 "http://economist.com" "Mozilla/5.0 (iPhone; CPU iPhone OS 7_0 like Mac OS X; en-us) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A465 Safari/9537.53"
101.201.31.108 - - [29/May/2016:16:38:12 +0000] "GET http://vstat.v.blog.sohu.com/dostat.do?method=setVideoPlayCount&v=83593920&playlistId=&c=131128&vc=131128&uid=14645398803161561565&plat=flash&os=Windows10&online=0&type=my&o=292591044&r=http%3A%2F%2Fmy.tv.sohu.com%2Fus%2F292591044%2F83593920.shtml&time=1464539880698 HTTP/1.1" 200 6 "http://my.tv.sohu.com/us/292591044/83593920.shtml" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
104.197.247.35 - - [29/May/2016:16:38:12 +0000] "GET http://www.realtimewebsite.com/js/rtws.js HTTP/1.1" 200 348 "http://www.freewebsitereport.org/www.cartoonetwork.com" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/4.0; .NET CLR 5.0.90556.2)"
81.94.192.52 - - [29/May/2016:16:38:13 +0000] "GET http://www.advinapps.com/no-impression.gif?p=24306&ch=www.economist.com&l=US&h=931f6fbc7b9b27deb6633049e4303daf&t=1464568695000&s=0366da23730645ecda68bb0f08c99c2e&tz=-13.0&sh=659&sw=412 HTTP/1.1" 200 49 "http://economist.com" "Mozilla/5.0 (iPhone; CPU iPhone OS 7_0 like Mac OS X; en-us) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A465 Safari/9537.53"
110.252.95.174 - - [29/May/2016:16:38:12 +0000] "POST http://180.186.38.200/rest/photo/like?lat=0&lon=0&ver=4.34&ud=169552143&sys=ANDROID_4.4.4&c=GENERIC&net=WIFI&did=ANDROID_33d055630e75dcf4&mod=iToolsAVM%28iToolsAVM%29&app=0&language=zh-cn&country_code=US HTTP/1.1" 200 37 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
79.20.174.253 - - [29/May/2016:16:38:13 +0000] "GET http://video-edge-8273c0.ord02.hls.ttvnw.net/hls-6dbdec/forsenlol_21576028656_461001026/chunked/index-live.m3u8?token=id=7806820898711542541,bid=21576028656,exp=1464623765,node=video-edge-8273c0-1.ord02.hls.justin.tv,nname=video-edge-8273c0.ord02,fmt=chunked&sig=4c016ff3014314d55ebbf08798cbc18c9d008e77 HTTP/1.1" 200 422 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0"
104.197.247.35 - - [29/May/2016:16:38:13 +0000] "GET http://www.realtimewebsite.com/tp.tiff?ref=&host=freewebsitereport.org&path=%2Fwww.cartoonetwork.com&href=http%3A%2F%2Fwww.freewebsitereport.org%2Fwww.cartoonetwork.com&width=400&height=300&id=8046424910426 HTTP/1.1" 204 - "http://www.freewebsitereport.org/www.cartoonetwork.com" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/4.0; .NET CLR 5.0.90556.2)"
85.25.242.142 - - [29/May/2016:16:38:13 +0000] "GET http://www.amazon.de/gp/offer-listing/B00BT96PFK/ref=olp_tab_new?ie=UTF8&sr=8-1&condition=new HTTP/1.1" 400 226 "http://www.amazon.de/gp/offer-listing/B00BT96PFK/ref=olp_tab_all" "-"
108.61.123.138 - - [29/May/2016:16:38:13 +0000] "GET http://c2s.startappnetwork.com/c2s/1.3/htmlads?sdkType=10&sdkVersion=1.0.0&partner=103651863&prod=203453235&os=0&placement=&adw=320&adh=50 HTTP/1.1" 200 8398 "com.pubjts.CuteJam" "Mozilla/5.0 (Linux; U; Android 5.0.0; en-us; ASUS_T00F Build/JSS15Q) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"

Is this a known type of DDOS attacks, how my apache is recieving requests from POST http://ifacelog.iqiyi.com/api/vvlog.jsp , i mean the domain iqiyi does not point to my server.

Update #1

After the suggestion that people are using my server as an open proxy, i disabled loading all apache proxy modules by commenting:

# This file configures all the proxy modules:
#LoadModule proxy_module modules/mod_proxy.so
#LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
#LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
#LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
#LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
#LoadModule proxy_express_module modules/mod_proxy_express.so
#LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
#LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
#LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_scgi_module modules/mod_proxy_scgi.so

However my access_log file is still getting the same suspicious requests, how could this be happening while i disabled all the proxy.

ddos

2 Answers

  1. Best Answer

    The best guess is that you've misconfigured your apache and it acts as an open proxy now (anyone can use your server as a proxy disguising himself). I'm guessing this by the CONNECT method requests as well as by a lot of these requests actually passing. And by the log containing full URL.

    So it is not a DDOS but rather your server has appeared on some kind of open proxy list and people looking to disguise themselves use it as they please. Be careful, because you could be held responsible in case it's abused for criminal activity.

    • 1

  2. HTTP includes a Host header, so the request any point to any Host at all. This exists so that you can have several hostnames pointing to one IP (virtualhost). It is of course normally useless to ask for a Host whos IP does not point to your server, but this is a malicious attack, and it seems that your server is replying "200" to at least some of these requests, so at best it is encouraging the attack, and at worst it is vulnerable.

    You need to check why your server is replying OK to these requests (a default host in apache, I think, but the OK is on a non-default resource /api/vvlog.jsp, so it may be more complicated that that).

    • 0