Re: Question about HTTP DDOS attacks.

[Hugo van der Kooij <hvdkooij () vanderkooij org>]

On Fri, 15 Mar 2002 eax () 3xT org wrote:

> For the last couple days, one of our client's virtual-hosts on one of our webservers has been DDOSed with
> tons of HTTP requests composed of:
>
> GET / HTTP/1.1
> Host: example.com

These are in fact valid request if I setup a link like: <a 
href="http://example.com/";> or even <a href="http://example.com";>

Do you have any referrer information to disclose as well? An apache server 
with full referer logging would tell you this and it could lead you to the 
source.

It may be a DDOS attack but it could as well be just a link that got typed 
wrong on a popular site. (Say with a link to warez software or over 
exposed pictures. ;-)

There is no evidence this is a real attack with the information you 
provided yet.

Hugo.

-- 
All email send to me is bound to the rules described on my homepage.
    hvdkooij () vanderkooij org         http://hvdkooij.xs4all.nl/
            Don't meddle in the affairs of sysadmins,
            for they are subtle and quick to anger.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com