[IMC-Tech] DDoS maybe thwarted

Zachary C. Miller zach at chambana.net
Wed Mar 1 19:38:32 CST 2006 

I think I've got us out of the woods from today's DDoS attack. Even
though most of these spammers had their comments blocked by our
software, the high pace of attempting to post comments was bogging
down the server anyway. 

Using these commands: 

grep "scumbag/mt/mt-comment" /var/log/apache/ucimc-full-access.log | cut -d" " -f1 | perl -e 'while(<>) { chomp; $count{$_}++ }; print "$count{$_} $_\n" foreach sort keys %count' | sort -n | tail -100 | cut -d" " -f2 

grep "POST /newswire/update/index.php" /var/log/apache/ucimc-full-access.log | cut -d" " -f1 | perl -e 'while(<>) { chomp; $count{$_}++ }; print "$count{$_} $_\n" foreach sort keys %count' | sort -n | tail -100 | cut -d" " -f2 

I identified the top 100 IP addresses that were flooding our site with
requests today for each of two different points of entry. (The
scumbag/mt one doesn't actually even exist, he moved his site off our
server a while ago but lots of zombies still attempt to post spam
there and it's a good way to detect them to look for requests to that
non-existant script. I've noticed that a lot of the zombies attacking
that script ALSO attack ucimc.org and saschameinrath.com so finding
them in one place knocks them out in the others.)

I looked at whois and DNS PTR information for all of these IP
addresses, determined that none of them were local and banned them
all. These are all IPs tried to post 10 or more comments to our
newswire just today alone.

The IPs that I banned are: 

12.6.56.178
129.109.210.6
131.107.27.21
192.138.77.36
192.87.3.201
194.117.134.196
195.225.177.80
195.23.119.230
195.251.11.60
196.40.31.138
196.40.43.218
196.40.43.78
198.3.128.225
200.122.153.13
200.122.153.2
200.122.153.6
200.126.231.243
200.30.79.126
200.35.81.254
202.137.116.53
202.171.71.249
202.171.71.251
202.58.85.2
202.58.85.6
202.58.85.8
202.58.86.3
203.148.194.131
203.149.12.243
203.162.89.61
203.83.75.26
205.213.111.54
207.177.58.125
207.46.98.116
207.61.31.226
208.232.245.84
209.173.210.170
209.202.238.231
209.202.238.232
209.202.238.233
209.202.238.234
209.202.238.235
209.202.238.236
209.26.228.213
210.31.96.4
211.178.140.50
212.138.113.16
212.209.129.230
212.92.1.62
213.217.110.115
216.168.230.197
216.24.126.67
216.75.15.115
217.174.249.110
217.19.54.75
217.205.124.19
217.219.116.228
217.219.128.69
217.56.105.180
217.64.200.126
217.91.77.194
218.11.207.244
218.18.120.5
219.239.110.9
219.51.52.192
222.97.233.226
24.141.125.106
24.232.248.43
58.231.139.201
59.144.163.153
60.240.47.244
61.111.93.11
62.131.190.196
62.183.50.164
62.206.86.194
63.236.33.198
63.83.249.12
65.39.251.35
68.142.249.112
68.142.249.169
68.142.249.23
68.142.249.63
68.142.250.109
68.142.250.115
68.142.250.144
68.142.250.149
68.142.250.178
68.142.250.30
68.142.250.86
68.142.250.94
68.142.251.130
68.142.251.139
68.142.251.147
68.142.251.165
68.142.251.171
68.142.251.183
68.142.251.207
68.142.251.49
68.142.251.67
68.142.251.90
68.2.122.29
68.37.72.199
68.87.64.100
68.87.64.101
68.87.64.102
68.87.64.104
68.87.64.105
68.87.64.106
68.87.64.117
68.87.66.100
68.87.66.101
68.87.66.148
68.87.66.149
68.87.66.150
68.87.66.151
68.87.66.152
68.87.71.180
68.87.71.181
68.87.71.182
68.87.71.183
68.87.71.184
68.87.71.185
68.87.72.164
68.87.72.165
68.87.72.168
68.87.72.169
68.87.76.151
68.87.76.152
68.87.77.180
68.87.77.181
68.87.77.182
68.87.77.183
68.87.77.184
69.46.16.119
72.30.102.160
72.30.102.20
72.30.102.221
72.30.102.222
72.30.102.33
72.30.103.21
72.30.103.79
72.30.104.198
72.30.107.73
72.30.107.75
72.30.107.76
72.30.110.141
72.30.111.142
72.30.111.70
72.30.128.143
72.30.128.200
72.30.129.144
72.30.131.219
72.30.133.105
72.30.133.106
72.30.133.107
72.30.133.115
72.30.133.119
72.30.133.120
72.30.133.123
72.30.133.16
72.30.133.17
72.30.133.18
72.30.133.20
72.30.133.22
72.30.133.23
72.30.133.24
72.30.133.26
72.51.33.46
80.191.213.6
80.254.188.234
80.36.153.127
80.68.242.97
81.214.134.52
81.56.37.235
82.139.12.103
82.229.216.15
82.88.103.38
82.91.169.116
83.144.73.17
83.18.237.34
84.244.1.154
85.18.156.24
85.255.113.178
85.255.113.179
85.255.113.180
85.255.113.181
85.255.113.182
85.255.113.183
85.255.113.184
85.255.113.185
85.255.113.186
85.255.113.187
85.255.113.188
85.255.113.189
85.8.5.193
86.55.8.194

-- 
Zachary C. Miller - @= - http://zach.chambana.net/
IMSA 1995 - UIUC 2000 - Just Another Leftist Muppet - Ya Basta!
 Social Justice, Community, Nonviolence, Decentralization, Feminism,
 Sustainability, Responsibility, Diversity, Democracy, Ecology

More information about the IMC-Tech mailing list