[Dshield] One of our virtual servers is getting hit by aDDoSattacking one domain searching for the robots.txt file

David McCall david at atgi.net
Wed Jan 5 18:07:36 GMT 2005


I've removed all the virtual domains but one from the box and installed the robots.txt redirect and they are still attacking....
I've built up ipchains so that every 15min. it adds new IP addresses to the table and were at

ipchains -L -n | wc -l
   2509

Anyone else got any ideas?????

www.mpecllc.com 12.217.185.41 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 69.134.185.96 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 4.65.236.253 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 66.119.34.60 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.0" 302 213 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 66.26.130.104 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 151.198.145.39 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 24.211.82.70 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 216.74.161.254 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 65.8.14.209 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 12.178.129.110 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1)"
www.mpecllc.com 68.254.189.209 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1)"
www.mpecllc.com 130.164.68.42 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 66.119.34.60 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.0" 302 213 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 4.41.105.73 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 68.162.69.3 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 216.37.202.160 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1)"
www.mpecllc.com 130.164.68.42 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 68.254.189.209 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 12.178.129.110 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 65.8.14.209 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 68.50.16.186 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 4.41.105.73 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 12.155.212.106 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1)"
www.mpecllc.com 66.119.34.60 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.0" 302 213 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 65.3.192.242 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 68.50.16.186 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 63.205.45.247 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 66.26.130.104 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 216.37.202.160 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 69.134.185.96 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 65.8.14.209 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 66.119.34.60 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.0" 302 213 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 65.70.234.194 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 68.50.16.186 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 66.157.86.140 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 67.171.121.124 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1)"
www.mpecllc.com 65.3.192.242 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 68.50.16.186 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 68.50.16.186 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 24.148.220.64 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 65.8.14.209 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 67.171.121.124 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 24.155.76.250 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 69.134.185.96 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 68.50.16.186 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 65.70.234.194 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 69.242.189.9 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 63.205.45.247 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 66.157.86.140 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 24.148.220.64 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 66.119.34.60 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.0" 302 213 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 24.155.76.250 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 67.68.194.47 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 12.155.212.106 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 65.8.14.209 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 69.0.24.160 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 66.119.34.60 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.0" 302 213 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 69.134.185.96 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 12.217.185.41 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 67.68.194.47 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 12.6.238.99 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 65.8.14.209 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 12.202.197.243 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1)"
www.mpecllc.com 69.0.24.160 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 141.209.29.161 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1)"
www.mpecllc.com 69.209.7.135 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 12.217.185.41 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 69.134.185.96 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 12.129.11.151 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 24.243.189.109 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1)"
www.mpecllc.com 66.119.34.60 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.0" 302 213 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 12.129.11.151 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 12.37.34.82 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 141.209.29.161 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 12.202.197.243 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 65.8.14.209 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 24.61.120.198 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 24.243.189.109 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 68.108.204.40 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 69.209.7.135 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 66.119.34.60 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.0" 302 213 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 12.37.34.82 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 69.134.185.96 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 68.121.52.13 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 68.108.204.40 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 65.221.55.127 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 68.201.144.124 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1)"
www.mpecllc.com 24.61.120.198 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 66.153.75.170 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 68.121.52.13 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 66.209.39.48 - - [05/Jan/2005:10:04:15 -0800] "GET /entry.php HTTP/1.1" 200 0 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 65.8.14.209 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 200 39 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
www.mpecllc.com 68.50.16.186 - - [05/Jan/2005:10:04:15 -0800] "GET /robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org]On Behalf Of Maxime Ducharme
Sent: Tuesday, January 04, 2005 7:42 AM
To: General DShield Discussion List
Subject: Re: [Dshield] One of our virtual servers is getting hit by
aDDoSattacking one domain searching for the robots.txt file



Usually robots.txt is used by search engines.

The IPs here all looks like dyn IPs, which means it
is home users.

I never seen this kind of activity on our servers.

Timestamps indicate you get alot of requests at the same
time, which is anormal.

These IPs are unlikely to be spoofed since HTTP use TCP,
which is alot harder to spoof (depending if you got an old OS).
see http://www.hackinthebox.org/article.php?sid=6394

I suggest to extract list of attacking IPs and block them
on your firewall temporarly.

# grep robots.txt access.log |awk '{print $2}' |sort |uniq >tmp_ips.log
# while read ip
# do
#   <add drop rule to your packet filter>
# done<tmp_ips.log

Keep an eye on this and unblock them if you see less activity.

Hope that helps, good luck !

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau

----- Original Message -----
From: "David McCall" <david at atgi.net>
To: <list at lists.dshield.org>
Sent: Monday, January 03, 2005 11:32 AM
Subject: [Dshield] One of our virtual servers is getting hit by a
DDoSattacking one domain searching for the robots.txt file


> I've pointed the DNS to 127.0.0.1 which hasn't made much of a dent if at
all.  I'm thinking that the IP's attacking are spoofed
> but I don't know how to trouble shoot it:
>
> www.mpecllc.com 66.130.71.170 - - [03/Jan/2005:08:24:16 -0800] "GET
/robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
> 6.0; Windows NT 5.1)"
> www.mpecllc.com 69.40.200.9 - - [03/Jan/2005:08:24:16 -0800] "GET
/robots.txt HTTP/1.1" 200 26 "-" "Mozilla/4.0 (compatible; MSIE
> 6.0; Windows NT 5.1)"
> www.mpecllc.com 70.16.82.63 - - [03/Jan/2005:08:24:16 -0800] "GET
/robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
> 6.0; Windows NT 5.1)"
> www.mpecllc.com 24.242.195.213 - - [03/Jan/2005:08:24:16 -0800] "GET
/robots.txt HTTP/1.1" 200 26 "-" "Mozilla/4.0 (compatible; MSIE
> 6.0; Windows NT 5.1)"
> www.mpecllc.com 68.62.192.89 - - [03/Jan/2005:08:24:16 -0800] "GET
/robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
> 6.0; Windows NT 5.1)"
> www.mpecllc.com 70.17.131.139 - - [03/Jan/2005:08:24:16 -0800] "GET
/robots.txt HTTP/1.1" 200 26 "-" "Mozilla/4.0 (compatible; MSIE
> 6.0; Windows NT 5.1)"
> www.mpecllc.com 68.238.43.121 - - [03/Jan/2005:08:24:16 -0800] "GET
/robots.txt HTTP/1.1" 200 26 "-" "Mozilla/4.0 (compatible; MSIE
> 6.0; Windows NT 5.1)"
> www.mpecllc.com 216.164.60.3 - - [03/Jan/2005:08:24:16 -0800] "GET
/robots.txt HTTP/1.1" 200 26 "-" "Mozilla/4.0 (compatible; MSIE
> 6.0; Windows NT 5.1)"
> www.mpecllc.com 198.140.195.22 - - [03/Jan/2005:08:24:16 -0800] "GET
/robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
> MSIE 6.0; Windows NT 5.1)"
> www.mpecllc.com 70.16.82.63 - - [03/Jan/2005:08:24:16 -0800] "GET
/robots.txt HTTP/1.1" 200 26 "-" "Mozilla/4.0 (compatible; MSIE
> 6.0; Windows NT 5.1)"
> www.mpecllc.com 68.103.153.70 - - [03/Jan/2005:08:24:16 -0800] "GET
/robots.txt HTTP/1.0" 302 213 "-" "Mozilla/4.0 (compatible; MSIE
> 6.0; Windows NT 5.1)"
> www.mpecllc.com 70.16.82.63 - - [03/Jan/2005:08:24:16 -0800] "GET
/robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
> 6.0; Windows NT 5.1)"
> www.mpecllc.com 68.237.17.252 - - [03/Jan/2005:08:24:16 -0800] "GET
/robots.txt HTTP/1.1" 200 26 "-" "Mozilla/4.0 (compatible; MSIE
> 6.0; Windows NT 5.1)"
> www.mpecllc.com 24.129.70.50 - - [03/Jan/2005:08:24:16 -0800] "GET
/robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
> 6.0; Windows NT 5.1)"
> www.mpecllc.com 24.110.97.52 - - [03/Jan/2005:08:24:16 -0800] "GET
/robots.txt HTTP/1.1" 200 26 "-" "Mozilla/4.0 (compatible; MSIE
> 6.0; Windows NT 5.1)"
> www.mpecllc.com 24.241.116.141 - - [03/Jan/2005:08:24:16 -0800] "GET
/robots.txt HTTP/1.1" 200 26 "-" "Mozilla/4.0 (compatible; MSIE
> 6.0; Windows NT 5.1)"
> www.mpecllc.com 65.25.137.52 - - [03/Jan/2005:08:24:16 -0800] "GET
/robots.txt HTTP/1.1" 200 26 "-" "Mozilla/4.0 (compatible; MSIE
> 6.0; Windows NT 5.1)"
> www.mpecllc.com 24.14.191.240 - - [03/Jan/2005:08:24:16 -0800] "GET
/robots.txt HTTP/1.1" 200 26 "-" "Mozilla/4.0 (compatible; MSIE
> 6.0; Windows NT 5.1)"
> www.mpecllc.com 69.165.152.38 - - [03/Jan/2005:08:24:16 -0800] "GET
/robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
> 6.0; Windows NT 5.1)"
> www.mpecllc.com 68.62.65.177 - - [03/Jan/2005:08:24:16 -0800] "GET
/robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
> 6.0; Windows NT 5.1)"
> www.mpecllc.com 66.190.95.172 - - [03/Jan/2005:08:24:16 -0800] "GET
/robots.txt HTTP/1.1" 200 26 "-" "Mozilla/4.0 (compatible; MSIE
> 6.0; Windows NT 5.1)"
> www.mpecllc.com 68.190.49.156 - - [03/Jan/2005:08:24:16 -0800] "GET
/robots.txt HTTP/1.1" 200 26 "-" "Mozilla/4.0 (compatible; MSIE
> 6.0; Windows NT 5.1)"
> www.mpecllc.com 170.215.99.165 - - [03/Jan/2005:08:24:16 -0800] "GET
/robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible;
> MSIE 6.0; Windows NT 5.1)"
> www.mpecllc.com 68.205.47.120 - - [03/Jan/2005:08:24:16 -0800] "GET
/robots.txt HTTP/1.1" 302 225 "-" "Mozilla/4.0 (compatible; MSIE
> 6.0; Windows NT 5.1)"
> www.mpecllc.com 68.205.47.120 - - [03/Jan/2005:08:24:16 -0800] "GET
/robots.txt HTTP/1.1" 200 26 "-" "Mozilla/4.0 (compatible; MSIE
> 6.0; Windows NT 5.1)"
> www.mpecllc.com 141.156.33.112 - - [03/Jan/2005:08:24:16 -0800] "GET
/robots.txt HTTP/1.1" 200 26 "-" "Mozilla/4.0 (compatible; MSIE
> 6.0; Windows NT 5.1)"
>
>
> Anyone with any ideas on how to stop this would be appreciated.
>
> thanks ahead of time:
>
> D.C.McCall
> UNIX Administrator
> ===================
> AdvancedTelcomInc
> admin at atgi.net
>
> -------------- Sponsor Message ------------------------------------
> SANS Intrusion Immersion Training: Orlando, FL, February 3-9th
> http://www.sans.org/orlando05
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>

-------------- Sponsor Message ------------------------------------
SANS Intrusion Immersion Training: Orlando, FL, February 3-9th
http://www.sans.org/orlando05

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list


!DSPAM:41dac7d3285991676011357!





More information about the list mailing list