200 requests per second to httpd server, but not accessing server

Bsalarius asked:

I seem to be having an unusual attack (or so it seems). I cannot find any similar event that may have happened to someone else.

Here is a snippet of some of the requests from /var/logs/httpd/access_log:

104.202.82.76 - - [06/Dec/2015:16:19:27 +0000] "GET http://ib.adnxs.com/ttj?id=5705256&cb=${CACHEBUSTER}&pubclick=${CLICK_URL} HTTP/1.0" 302 - "http://www.healthfmbox.com/?p=952" "Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_2_1 like Mac OS X; fi-fi) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148a Safari/6533.18.5"
104.202.82.67 - - [06/Dec/2015:16:19:27 +0000] "GET https://gum.criteo.com:443/sync?c=30&r=2&j=cr_handle_data_a HTTP/1.0" 500 534 "http://www.healthfmbox.com/?p=4" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_4_11; fr) AppleWebKit/533.16 (KHTML, like Gecko) Version/5.0 Safari/533.16"
23.89.251.178 - - [06/Dec/2015:16:19:27 +0000] "GET http://ib.adnxs.com/ttj?ttjb=1&bdc=1449418757&bdh=mJxlczTI4elSgTdPCRLn3nz2Ty8.&&view_vs=2&bdref=http%3A%2F%2Fwww.healthyyt.com%2F%3Fp%3D344&bdtop=true&bdifs=0&bstk=http%3A%2F%2Fwww.healthyyt.com%2F%3Fp%3D344&&id=5700353 HTTP/1.0" 200 - "http://www.healthyyt.com/?p=344" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; ja-jp) AppleWebKit/533.16 (KHTML, like Gecko) Version/5.0 Safari/533.16"
104.202.144.210 - - [06/Dec/2015:16:19:27 +0000] "GET http://47.teracreative.com/WhiteLabelBidRequestHandlerServlet?oid=47&width=728&height=90&pubid=139708&tagid=810768&pstn=ENTER_PLACEMENT_ID_HERE&noaop=1&revmod=INSERT_CONTENT_TYPE&encoded=1&cb=INSERT_CACHEBUSTER&keywords=INSERT_COMMA_SEPARATED_KEYWORDS&callback=document.write&urlonly=1 HTTP/1.0" 200 40 "http://www.autosoldbest.com/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; ja-JP) AppleWebKit/533.16 (KHTML, like Gecko) Version/5.0 Safari/533.16"
104.197.151.225 - - [06/Dec/2015:16:19:26 +0000] "CONNECT lq.pbe1.lol.riotgames.com:443 HTTP/1.1" 200 - "-" "-"
85.25.198.36 - - [06/Dec/2015:16:19:27 +0000] "CONNECT lq.euw1.lol.riotgames.com:443 HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36 OPR/30.0.1835.59"
176.31.175.202 - - [06/Dec/2015:16:19:27 +0000] "CONNECT lq.euw1.lol.riotgames.com:443 HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36 OPR/30.0.1835.59"
74.91.17.35 - - [06/Dec/2015:16:19:27 +0000] "GET http://55.teracreative.com/WhiteLabelBidRequestHandlerServlet?oid=55&width=728&height=90&pubid=148917&tagid=854467&pstn=ENTER_PLACEMENT_ID_HERE&noaop=1&revmod=INSERT_CONTENT_TYPE&encoded=1&cb=INSERT_CACHEBUSTER&keywords=INSERT_COMMA_SEPARATED_KEYWORDS&callback=document.write&urlonly=1 HTTP/1.0" 200 837 "http://www.superkinggame.com/games/326/crash-bandicoot.html" "Mozilla/5.0 (Windows NT 5.1; U; rv:5.0) Gecko/20100101 Firefox/5.0"
104.202.82.78 - - [06/Dec/2015:16:19:27 +0000] "GET http://ib.adnxs.com/ttj?ttjb=1&bdc=1449418757&bdh=anzD4Bcoh4UlOB1sU78J1oceoXc.&&view_vs=2&bdref=http%3A%2F%2Fwww.healthfmbox.com%2F%3Fp%3D45&bdtop=true&bdifs=0&bstk=http%3A%2F%2Fwww.healthfmbox.com%2F%3Fp%3D45&&id=5705256&cb=${CACHEBUSTER}&pubclick=${CLICK_URL} HTTP/1.0" 200 - "http://www.healthfmbox.com/?p=45" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; ru-ru) AppleWebKit/533.16 (KHTML, like Gecko) Version/5.0 Safari/533.16"
104.202.144.210 - - [06/Dec/2015:16:19:27 +0000] "GET http://47.teracreative.com/WhiteLabelBidRequestHandlerServlet?oid=47&width=300&height=250&pubid=139708&tagid=810748&pstn=ENTER_PLACEMENT_ID_HERE&noaop=1&revmod=INSERT_CONTENT_TYPE&encoded=1&cb=INSERT_CACHEBUSTER&keywords=INSERT_COMMA_SEPARATED_KEYWORDS&callback=document.write&urlonly=1 HTTP/1.0" 200 40 "http://www.autosoldbest.com/the-quality-of-the-trucks-you-drive-determines-the-quality-of-work-achieved.html" "Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_2_1 like Mac OS X; de-de) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5"

The < VirtualHost > tag from httpd.conf:

<VirtualHost *:80>
    DocumentRoot /home/minecraft/www
    ServerName deltatek.playat.ch
    Options -Indexes
    ProxyRequests On
    ProxyPass ... !
    ProxyPass / http://my.domain.name.here:3000/
</VirtualHost>
SSLProtocol all -SSLv2 -SSLv3

(The ProxyPasses have been removed for security, along with the domain name)

Any ideas why this would be happening? The log files quickly fill up the HDD of the server!

System OS & Version:

cat /etc/redhat-release
CentOS release 6.7 (Final)

Thanks.

My answer:


You have made your web server an open proxy server by turning on ProxyRequests. Someone has discovered it and your server is now being abused by many people on the Internet. Turn this off immediately. It is not necessary or useful for reverse proxying to your web application.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.