HTTP Attack?
85.94.94.197 - - [25/Jun/2007:12:14:54 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 206 272504844$
85.94.94.197 - - [25/Jun/2007:12:14:46 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 206 278866299$
85.94.94.197 - - [25/Jun/2007:12:14:19 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 206 265269077$
85.94.94.197 - - [25/Jun/2007:12:06:22 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 200 283880365$
85.94.94.197 - - [25/Jun/2007:12:13:35 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 206 275930571$
85.94.94.197 - - [25/Jun/2007:12:17:15 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 206 280953233$
85.94.94.197 - - [25/Jun/2007:12:18:03 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 206 280883564$
85.94.94.197 - - [25/Jun/2007:12:16:09 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 206 278470430$
85.94.94.197 - - [25/Jun/2007:12:15:30 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 206 272492576$
85.94.94.197 - - [25/Jun/2007:12:08:24 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 206 268983965$
85.94.94.197 - - [25/Jun/2007:12:18:58 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 206 271350508$
The file in question that they downloaded was 271MB. From the logs I can also see that they have downloaded several other of the smaller patches.
If you look at the timestamps, they are generally about 5 minutes apart. Im not sure whether the logs show when the file was complete or when it was started.
Also, by looking at my bandwidth usage for the past 24 hours (thansk to the dashboard) i can see ive only used about 1.25GB. This is somewhat high, but not absurd for the ammount of traffic that my site gets.
ive had roughly 50-70 request for a 271MB file, which would add up to atleast 13GB of bandwidth used. It appears as if they initated the file repeatedly, but didnt actualy download it… Almost as if it were a HTTP form of a SYN attack. Do you think that this is just some person who is trying to attack me and getting no where, or some poor person with a bad connecting trying to DL a large file?
Thanks,
Smark
PS. Sorry if its a little long, I was on lunch at work and had some spare time.
PSS. Also, why arnt the log times in order? I used the grep command to just read todays log (grep "25/Jun/2007"), but that shouldnt change the order, should it?
5 Replies
> If you look at the timestamps, they are generally about 5 minutes apart. Im not sure whether the logs show when the file was complete or when it was started.
I tried to download a large file from my apache webserver, canceled it, and looked at the log. The entry was there. So a download does not have to be complete to show up in the log.
> Do you think that this is just some person who is trying to attack me and getting no where, or some poor person with a bad connecting trying to DL a large file?
Maybe the users ip changes once every 5 minutes? That would break the download. Maybe the users client tries to resume the download from where it got disconnected.
As you can see in the above link, the "206" http status code means "Partial Content". So I'd guess it's just a normal download that keeps getting disconnected. Perhaps he is using Tor (tor.eff.org) or something similar? That would cause frequent ip changes.
> PSS. Also, why arnt the log times in order? I used the grep command to just read todays log (grep "25/Jun/2007"), but that shouldnt change the order, should it?
I ran the same command. My list was in the correct order. Strange.
@Smark:
PSS. Also, why arnt the log times in order? I used the grep command to just read todays log (grep "25/Jun/2007"), but that shouldnt change the order, should it?
Grep won't reorder the lines. My guess would be that the timestamp shows when the transfer started, but the line isn't written to the logfile until the transfer ends.
@Smark:
85.94.94.197 - - [25/Jun/2007:12:14:54 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 206 272504844$ 85.94.94.197 - - [25/Jun/2007:12:14:46 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 206 278866299$ 85.94.94.197 - - [25/Jun/2007:12:14:19 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 206 265269077$ 85.94.94.197 - - [25/Jun/2007:12:06:22 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 200 283880365$ 85.94.94.197 - - [25/Jun/2007:12:13:35 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 206 275930571$ 85.94.94.197 - - [25/Jun/2007:12:17:15 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 206 280953233$ 85.94.94.197 - - [25/Jun/2007:12:18:03 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 206 280883564$ 85.94.94.197 - - [25/Jun/2007:12:16:09 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 206 278470430$ 85.94.94.197 - - [25/Jun/2007:12:15:30 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 206 272492576$ 85.94.94.197 - - [25/Jun/2007:12:08:24 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 206 268983965$ 85.94.94.197 - - [25/Jun/2007:12:18:58 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 206 271350508$
Some download clients perform a number of partial downloads at the same time. They claim this speeds up downloads.
Thanks,
Smark
In any case, if you're truly worried, you could just ban the IP at the firewall level.