DoSS Attack on my Site

So some smart ass has decided to chew up all my sites quota, so here is some info on it.

After throwing the log through Webalizer, love Webalizer, I found my first suspicious thing, an odd user agent:
Mozilla/4.0 (compatible; MSIE ; Windows NT 4.0)

See how it looks normal and would be easy to over look, yet for the one fact that it generated 50.65% of the traffic for that day. There are a few other things about this though, for one, who uses Microsoft Windows NT 4.0 anymore, thats a bit of a giveaway. But one more thing, a small technical point, ; MSIE ; were is the version number? Normally and agent string looks like this Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1), notice that it has the version number in this case 6.0. If it was Microsoft Internet Explorer 7 in would show up like this, Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1).

Now I did a little searching on this strang user agent and low and behold it’s very rare, in fact I could only find 5 results in Google. Heres the fun part though, one of the results gave me an answer I wasn’t expecting it was a TrackPro 1.0 statistics page. Now this might not be very interesting to some people but I decided to search the page for the agent string.

By this time I had looked though my log and notice a pattern based on what IP addresses had been downloading data, I will get to this a little later. I notice that in this log that it was the same IP addresses causing the same agent string, interesting. I have now come to the conclusion that someone in that IP address is running some peace of software with this dodge agent string and is doing it on purpose for some unknown reason.

Before I get into to much detail about this lets just accuse the IP ranges right now, CIDR: 66.150.117.128/25 and 72.14.160.0/20.

So what do I see in my Webalizer results that tells me these ranges are to blame.

Well see for yourself:
1 1192 2.52% 795 1.90% 290362 6.48% 4 0.30% 66.150.117.221
2 852 1.80% 633 1.51% 345451 7.72% 4 0.30% 66.150.117.145
== Removed == Google Bot
4 474 1.00% 356 0.85% 151741 3.39% 4 0.30% 66.150.117.182
5 383 0.81% 344 0.82% 99658 2.23% 5 0.38% 72.14.164.191
6 380 0.80% 345 0.82% 43492 0.97% 4 0.30% 72.14.164.198
7 376 0.80% 347 0.83% 59854 1.34% 4 0.30% 72.14.164.175
8 375 0.79% 341 0.81% 97421 2.18% 5 0.38% 72.14.164.177
9 372 0.79% 342 0.82% 25903 0.58% 5 0.38% 72.14.164.138
10 369 0.78% 333 0.79% 29442 0.66% 5 0.38% 72.14.164.200
11 367 0.78% 325 0.77% 53322 1.19% 4 0.30% 72.14.164.156
12 367 0.78% 338 0.81% 42973 0.96% 5 0.38% 72.14.164.176
13 366 0.77% 326 0.78% 71685 1.60% 5 0.38% 72.14.164.158
14 365 0.77% 314 0.75% 29691 0.66% 3 0.23% 72.14.164.185
15 364 0.77% 327 0.78% 86170 1.92% 3 0.23% 72.14.164.143
16 363 0.77% 320 0.76% 53992 1.21% 4 0.30% 72.14.164.155
17 362 0.77% 330 0.79% 47636 1.06% 4 0.30% 72.14.164.170
18 360 0.76% 318 0.76% 52198 1.17% 5 0.38% 72.14.164.139
19 359 0.76% 316 0.75% 88977 1.99% 4 0.30% 72.14.164.134
20 358 0.76% 316 0.75% 63646 1.42% 5 0.38% 72.14.164.129
21 356 0.75% 325 0.77% 38692 0.86% 5 0.38% 72.14.164.149
22 355 0.75% 324 0.77% 26799 0.60% 4 0.30% 72.14.164.197
23 353 0.75% 323 0.77% 31524 0.70% 6 0.46% 72.14.164.133
24 353 0.75% 310 0.74% 69293 1.55% 5 0.38% 72.14.164.135
25 353 0.75% 318 0.76% 55614 1.24% 5 0.38% 72.14.164.171
26 352 0.74% 308 0.73% 61766 1.38% 5 0.38% 72.14.164.154
27 351 0.74% 312 0.74% 64233 1.43% 4 0.30% 72.14.164.137
28 350 0.74% 322 0.77% 15627 0.35% 5 0.38% 72.14.164.162
29 349 0.74% 317 0.76% 27012 0.60% 5 0.38% 72.14.164.187
30 348 0.74% 304 0.72% 16846 0.38% 4 0.30% 72.14.164.164
31 348 0.74% 309 0.74% 69656 1.56% 4 0.30% 72.14.164.186
32 347 0.73% 315 0.75% 58220 1.30% 5 0.38% 72.14.164.172
33 346 0.73% 308 0.73% 42644 0.95% 6 0.46% 72.14.164.128
34 346 0.73% 312 0.74% 30596 0.68% 4 0.30% 72.14.164.167
35 346 0.73% 319 0.76% 42910 0.96% 5 0.38% 72.14.164.196
36 345 0.73% 312 0.74% 55911 1.25% 3 0.23% 72.14.164.131
37 344 0.73% 309 0.74% 42847 0.96% 4 0.30% 72.14.164.145
38 344 0.73% 301 0.72% 17720 0.40% 4 0.30% 72.14.164.148
39 344 0.73% 311 0.74% 10030 0.22% 5 0.38% 72.14.164.163
40 342 0.72% 305 0.73% 35125 0.78% 4 0.30% 72.14.164.146
41 342 0.72% 307 0.73% 35366 0.79% 4 0.30% 72.14.164.151
42 341 0.72% 310 0.74% 23267 0.52% 5 0.38% 72.14.164.180
43 341 0.72% 306 0.73% 69960 1.56% 5 0.38% 72.14.164.194
44 340 0.72% 308 0.73% 51910 1.16% 5 0.38% 72.14.164.150
45 340 0.72% 312 0.74% 13854 0.31% 5 0.38% 72.14.164.153
46 340 0.72% 301 0.72% 56876 1.27% 4 0.30% 72.14.164.159
47 339 0.72% 302 0.72% 48882 1.09% 5 0.38% 72.14.164.136
48 338 0.72% 300 0.72% 36987 0.83% 4 0.30% 72.14.164.160
49 338 0.72% 299 0.71% 34404 0.77% 6 0.46% 72.14.164.161
50 337 0.71% 302 0.72% 80350 1.79% 4 0.30% 72.14.164.132
51 337 0.71% 296 0.71% 55019 1.23% 5 0.38% 72.14.164.157
52 337 0.71% 300 0.72% 14380 0.32% 4 0.30% 72.14.164.181
53 337 0.71% 309 0.74% 49606 1.11% 3 0.23% 72.14.164.184
54 336 0.71% 295 0.70% 32908 0.73% 4 0.30% 72.14.164.182
55 336 0.71% 302 0.72% 75503 1.69% 4 0.30% 72.14.164.188
56 335 0.71% 299 0.71% 50384 1.13% 4 0.30% 72.14.164.169
57 334 0.71% 291 0.69% 43156 0.96% 4 0.30% 72.14.164.144
58 334 0.71% 303 0.72% 66271 1.48% 4 0.30% 72.14.164.165
59 332 0.70% 294 0.70% 78337 1.75% 5 0.38% 72.14.164.174
60 331 0.70% 299 0.71% 65226 1.46% 6 0.46% 72.14.164.195
61 330 0.70% 293 0.70% 85170 1.90% 3 0.23% 72.14.164.189
62 328 0.69% 295 0.70% 79350 1.77% 6 0.46% 72.14.164.140
63 328 0.69% 293 0.70% 34049 0.76% 4 0.30% 72.14.164.152
64 328 0.69% 297 0.71% 54872 1.23% 4 0.30% 72.14.164.166
65 328 0.69% 298 0.71% 48402 1.08% 5 0.38% 72.14.164.193
66 327 0.69% 295 0.70% 69283 1.55% 5 0.38% 72.14.164.192
67 326 0.69% 292 0.70% 59994 1.34% 4 0.30% 72.14.164.168
68 324 0.69% 287 0.68% 15301 0.34% 4 0.30% 72.14.164.130
69 323 0.68% 291 0.69% 29792 0.67% 4 0.30% 72.14.164.142
70 323 0.68% 291 0.69% 13200 0.29% 4 0.30% 72.14.164.178
71 322 0.68% 294 0.70% 98496 2.20% 4 0.30% 72.14.164.179
72 322 0.68% 278 0.66% 40521 0.90% 5 0.38% 72.14.164.199
73 320 0.68% 284 0.68% 23549 0.53% 4 0.30% 72.14.164.183
74 313 0.66% 280 0.67% 76374 1.71% 4 0.30% 72.14.164.141
75 312 0.66% 275 0.66% 61035 1.36% 4 0.30% 72.14.164.190
76 311 0.66% 267 0.64% 15592 0.35% 4 0.30% 72.14.164.147
77 309 0.65% 280 0.67% 68528 1.53% 5 0.38% 72.14.164.173

Thats basically it, repeated and obvious pattern from the same set of IP ranges.

Webalizer File
Part of log File

Leave a Reply

Your email address will not be published. Required fields are marked *

CommentLuv badge