# Unusual packets hitting server



## KwiceroLTD (Mar 28, 2015)

I've been puzzeled with this for a day now, a ton of unusual packets hitting the server, all coming from public proxies (I googled a few ips), and TOR. It's caused my site downtime now. I can speculate who is launching the attack, however I won't state any names.

All carrying this message which I found by logging all POST data - access logs near end of post:

are%3Dyou%26prepared%3Dfor%26z3r0_d32tr0y3r%3Dv1%26imustdestroy%3D1

Which is (without URL encoding):

are=you&prepared=for&z3r0_d32tr0y3r=v1&imustdestroy=1

Which I can translate easily to:

Are you prepared for z3r0_d32tr0y3r v1 imustdestroy 1

And that's sent over POST. The attack isn't making the server become offline, but it's causing the occasional drop.

Suspect Traffic:

5.79.68.161 - - [28/Mar/2015:08:25:00 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (BlackBerry; U; BlackBerry 9850; en-US) AppleWebKit/534.11+ (KHTML, like Gecko) Version/7.0.0.254 Mobile Safari/534.11+"
5.79.68.161 - - [28/Mar/2015:08:25:03 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
85.214.98.239 - - [28/Mar/2015:08:25:05 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
85.214.98.239 - - [28/Mar/2015:08:25:07 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (PLAYSTATION 3; 3.55)"
85.214.98.239 - - [28/Mar/2015:08:25:09 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Linux; U; Android 4.0.3; ko-kr; LG-L160L Build/IML74K) AppleWebkit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30"
85.214.98.239 - - [28/Mar/2015:08:25:10 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A"
85.214.98.239 - - [28/Mar/2015:08:25:12 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A"
85.214.98.239 - - [28/Mar/2015:08:25:14 -0400] "POST / HTTP/1.1" 200 14658 "-" "Opera/12.02 (Android 4.1; Linux; Opera Mobi/ADR-1111101157; U; en-US) Presto/2.9.201 Version/12.02"

91.213.8.236 - - [28/Mar/2015:08:24:34 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
188.226.139.158 - - [28/Mar/2015:08:24:34 -0400] "GET / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/98 Safari/537.4 (StatusCake)"
194.150.168.79 - - [28/Mar/2015:08:24:37 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Linux; U; Android 4.0.3; ko-kr; LG-L160L Build/IML74K) AppleWebkit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30"
194.150.168.79 - - [28/Mar/2015:08:24:40 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A"
194.150.168.79 - - [28/Mar/2015:08:24:44 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
176.126.252.12 - - [28/Mar/2015:08:24:46 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (BlackBerry; U; BlackBerry 9850; en-US) AppleWebKit/534.11+ (KHTML, like Gecko) Version/7.0.0.254 Mobile Safari/534.11+"
176.126.252.12 - - [28/Mar/2015:08:24:48 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A"
176.126.252.12 - - [28/Mar/2015:08:24:50 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A"
176.126.252.12 - - [28/Mar/2015:08:24:52 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (PLAYSTATION 3; 3.55)"
176.126.252.12 - - [28/Mar/2015:08:24:54 -0400] "POST / HTTP/1.1" 200 14658 "-" "Mozilla/5.0 (PLAYSTATION 3; 1.00)"

One IP lookup:

IP: 176.126.252.12 Decimal: 2961112076 Hostname: aurora.enn.lu ISP: Alistar Security Srl Organization: Alistar Security Srl Services: Confirmed proxy server

Any idea what's going on and how to drop the requests without dropping actual users? Never seen this before.


----------



## tonyg (Mar 28, 2015)

I would run a script to tail the web server logs and check and make sure the IP hitting the server first made a request to a regular page of the site.

If the request went straight to a POST, then ban the IP.


----------



## joepie91 (Mar 28, 2015)

What makes you believe this is an attack?


----------



## KwiceroLTD (Mar 28, 2015)

joepie91 said:


> What makes you believe this is an attack?


Post data is garbage, large large amounts of requests, all originate from TOR and open proxies.


----------



## KwiceroLTD (Mar 28, 2015)

And, more logs: http://pastebin.com/Yjy7t1Fi


----------

