# Someone's bad DNS is pointing to my IP and overloading my apache server



## amygrant (Dec 11, 2012)

Found my webserver getting hammered with bogus requests due to what seems like bad DNS pointing to my IP address. Pretty much seems like a DOS attack. Not sure if this is being done intentionally or by mistake. 

Obvious solution is to change IP but if it is being done malicious, the attacker will just change the DNS record to point to my new IP. Trying to figure out a better solution.

I wrote a perl script that scans my apache log for these bad requests and then adds them into a custom IPFILTER ruleset to block the IPs and I put this script on a 5 minute cron but it is a pretty kludgy fix.

Any elegant solutions for something like this?


----------



## Morte (Dec 11, 2012)

A "solution" depends on what you think is acceptable for server load. Since you're not sure if it's malicious or not, I'd still give the IP address change a shot if that's an option. Then at least you'll know if it's just an oddball mistake or not.

If you're trying block traffic before apache sees it, then something like your current fix is probably going to be the answer (although I'd guess there's software that can do the same thing, I have no idea what it is).

You can lower the burden on your webserver itself though. Ensure Apache only serves web sites (via vhosts) for specific domain names. All other requests (particularly by ip) are served something like an error 401. Make sure this is served by the built in error message, not a fancy customized page. Turn off logging for these requests to reduce disk load. If you have a lot of stuff in the HTTP header returned, consider paring this to the bare minimum to reduce outgoing traffic.


----------



## amygrant (Dec 11, 2012)

Morte said:
			
		

> You can lower the burden on your webserver itself though. Ensure Apache only serves web sites (via vhosts) for specific domain names. All other requests (particularly by ip) are served something like an error 401. Make sure this is served by the built in error message, not a fancy customized page. Turn off logging for these requests to reduce disk load. If you have a lot of stuff in the HTTP header returned, consider paring this to the bare minimum to reduce outgoing traffic.



Thanks for the input. All of the HTTP requests are for images from numerous advertising networks. Instead of doing a 401 I am currently doing a 301 and sending them to a very offensive pornographic image. I figured that would get someone's attention real quick.

Unfortunately, I cannot turn off disk logging because my script uses the log to determine which IPs to put into IPFilter. The disk I/O is getting hammered though so I'm going to make a stick the apache logs into a tmpfs for fast I/O.

I don't really see much of an alternative


----------



## Morte (Dec 11, 2012)

amygrant said:
			
		

> Thanks for the input. All of the HTTP requests are for images from numerous advertising networks. Instead of doing a 401 I am currently doing a 301 and sending them to a very offensive pornographic image. I figured that would get someone's attention real quick.



Yeah, you'll have to choose either blocking them on the network level, or returning errors but can't do both. (alternative idea, use mod rewrite to point to a script that does less intensive logging). This does sound like someone misconfigured something, so redirecting to a porn image is actually a pretty good idea. Usually there's policies involved with what's appropriate, so that kind of content will cause problems if they don't fix it.


----------

