Re: Question about HTTP DDOS attacks.

From: Hugo van der Kooij (hvdkooij@vanderkooij.org)
Date: 03/18/02 

Date: Mon, 18 Mar 2002 07:42:47 +0100 (CET)
From: Hugo van der Kooij <hvdkooij@vanderkooij.org>
To: Incidents Mailing List <incidents@securityfocus.com>

On Fri, 15 Mar 2002 eax@3xT.org wrote:

> For the last couple days, one of our client's virtual-hosts on one of our webservers has been DDOSed with
> tons of HTTP requests composed of:
>
> GET / HTTP/1.1
> Host: example.com

These are in fact valid request if I setup a link like: <a
href="http://example.com/"> or even <a href="http://example.com">

Do you have any referrer information to disclose as well? An apache server
with full referer logging would tell you this and it could lead you to the
source.

It may be a DDOS attack but it could as well be just a link that got typed
wrong on a popular site. (Say with a link to warez software or over
exposed pictures. ;-)

There is no evidence this is a real attack with the information you
provided yet.

Hugo. 

-- 
All email send to me is bound to the rules described on my homepage.
    hvdkooij@vanderkooij.org		http://hvdkooij.xs4all.nl/
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com