A colleague of mine was recently attacked by a fairly well-known hacker. For reasons known only to the hacker, he decided he would just periodically bring down my colleague’s website by flooding it with HTTP/CGI requests. As far as the server was concerned, these were legitimate requests, and defending them wasn’t going to be simple.
If these had been half-open SYN attacks from spoofed addresses, it would have been fairly easy to take care of them. More likely, he had a script running which generated repeated requests, via cURL or wget, for a file which caused some resources to be used up, and just turned up the volume until the server stopped responding.
Investigation showed that the requests were coming from a good number of hosts, but not completely random. I wrote a script which pulled the most recent Apache access log into a MySQL table, then created a second table from that data, containing only IP address and number of requests. I quickly determined that 87 hosts were responsible for the attacks, and most were located in far-off and untouchable regions such as Korea, Portugal, etc. Looks like our hacker friend had a decent number of drones at his command.
I modified the script to regenerate the data and spit out the commands to route traffic bound for those addresses to nowhere. In this case, since I had a provider willing to work with me, I generated them for a Cisco router (ip route xxx.xxx.xxx.xxx 255.255.255.255 null0), but if I didn’t have a willing provider, I could have modified the script to use the server’s own routing tables to route the traffic to nowhere.
After applying these null routes, the attack immediately stopped. And the script is still there, in case he finds more drones and tries it again.
