We have a website which appeared to suffer from a denial of service attack. There were several IP addresses involved and these were all registered to Facebook.
Here's an excerpt from the Apache log files:
173.252.73.119 - - [29/Aug/2013:14:22:14 +0100] "GET /blog/?s=224im089cz+pofmv90+4445u422bmw+5iaa1nxh4j1+ppabi%2Gjewl_biochemist++ HTTP/1.1" 200 179 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
As you can see the requested URL is valid but contains a gibberish query string. There are hundreds of such requests per second.
I am thinking that both the IP address and the referrer are faked. Even if the above URL had been posted/shared on Facebook it wouldn't explain all of the other thousands of random requests coming from the same IP address and referrer.
Whilst we could block the IP address via our firewall there are other IP addresses being used (all registered to Facebook), and we don't want to block Facebook if they're not actually responsible.
Are the source of these attacks likely to be coming from elsewhere and how can we mitigate against them?
Best Answer
Those hits are when Facebook queries your server to grab images or text excerpts, to name a few things. If a link was posted and went viral, for example, it'd be loaded by every view of said link. You can contact legal@facebook.com so they can look at it and maybe determine if the links are actually valid.
Note that this isn't a denial of service attack, but your server being unable to cope with an influx of traffic. Denial of Service attacks would serve nothing more than to make your site unusable, while this is just a busy server.