My Apache web-server on Linux is being flooded by massive requests for a non-existent file. The immediate impact is the rapid growth of the access & error log. I already took care of this by not logging these requests (if it matched the particular string.). We're talking about 40 to 50 requests per second from multiple IP addreses (for the same file).
I initially thought about it being a botnet but I believe it's some script-kiddie spoofing the source ip. I'm running iptables on the server and I was wondering, how these packets reached the application layer (the HTTP server) bypassing the TCP/IP initial handshake? If I have:
--Default Policy for INPUT chain is to DROP
<snip>
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
<...>
<snip>
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
…shouldn't the SYN/ACK my server responds – after an initial connection request- be sent to the spoofed ip? And therefore lost? And if packets are crafted , as to appear to be from an established connection, shouldn'the state-tracking mechanism of netfilter handle this (via the RELATED,ESTABLISHED line above) and recognize them as not part of an established session and therefore DROPPING them (via the default policy: DROP)?
Thanks in advance,
Craconia
p.d. the requests are coming from valid internet addreses.
Best Answer
Even if they spoof the source IP the SYN/ACK TCP handshake is required before a connection can be made to Apache. This efficiently prevents a spoofed TCP connection. So, you can be pretty sure all connections are made from the IP addresses you can see in the logs.
A bot net or open proxy is a more likely culpit. That or a vulnerability in a webpage somewhere. A classic exploit is embedding a link to a large object on your webserver in the HTML of a website, making all clients hit your webserver trying to fetch the object from your server...
Your IPTABLES rules does make sense now ;)