Nginx-ru mailing list archive (nginx-ru@sysoev.ru)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: мля атака =(
- To: nginx-ru@xxxxxxxxx
- Subject: Re: мля атака =(
- From: Илья Шипицин <chipitsine@xxxxxxxxx>
- Date: Thu, 9 Dec 2010 08:33:01 +0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=Jh5ARigfnrTpT9+7k+P/JqnXT1ThnaEkLi+vfRuHcVE=; b=qwBm1S3e4w/x3Jg2HpKUddZtC346TQqKVL+GyLXXoTr42er16YyonuGQcStopH0MnP RlHz0GMAf0xDCPOtBnZ5Mck2h5VrSgwyC8PaUd8qHaCP3zkRs7Hc4RfOlobN02IvCjuV rTOnXLuz0coXetM048zKRqx74yLSRa2fU30I4=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=IOuiJ+6Rffztv7nmvn+FRT+Y6PxDXejNIARYZSI0wb6AxVuG7n6FKKXUA2jy5Ll8Wl LL8KbDfTUqoVhL4Z4qE+4ji2j+5agkIx8snvrabr6exxxtnwwYffRROn4aDO5Bkj5lZb pGd/EDNfP/eGxxRx94cCkFjmY9UCiLaSJySH0=
- In-reply-to: <AANLkTi=XpA8+VA-3x+_JMq2xQ4e5eMw_8inbc6vz8xbz@xxxxxxxxxxxxxx>
- References: <AANLkTi=XpA8+VA-3x+_JMq2xQ4e5eMw_8inbc6vz8xbz@xxxxxxxxxxxxxx>
if ($http_user_agent = "IE 7.0" ) {
set $limit_rate 4k;
return 502;
}
вам главное tcp сессии открывать и долго-долго их не закрывать. можете
попробовать на фаирволе загнать их в шейп
2010/12/9 -=HaRius=- <rh@xxxxxxxxxx>
>
> наверное пинать будете не в тему рассылки, но сжальтесь!!!
> с 12 часов лежимс =(
> че делать уже идеи кончались
> перекрутил sysctl уже во все стороны
> сервак начал немного ползать, но как только
> nginx запускаю в консоль сразу начинает валится
> Dec 8 23:56:08 mail kernel: interrupt storm detected on "irq257:";
> throttling interrupt source
> Dec 8 23:56:08 mail kernel: Limiting open port RST response from 169 to 50
> packets/sec
> Dec 8 23:56:09 mail kernel: interrupt storm detected on "irq257:";
> throttling interrupt source
> Dec 8 23:56:09 mail kernel: Limiting open port RST response from 230 to 50
> packets/sec
> в логах полно:
> 80.138.138.94 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.1" 0 0 "-" "IE
> 7.0"
> 190.6.98.66 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.1" 0 0 "-" "IE 7.0"
> 86.145.74.140 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.1" 0 0 "-" "IE
> 7.0"
> 94.166.77.69 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.1" 0 0 "-" "IE
> 7.0"
> 91.180.86.39 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.1" 0 0 "-" "IE
> 7.0"
> 85.53.186.1 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.1" 0 0 "-" "IE 7.0"
> 212.183.51.17 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.1" 0 0 "-" "IE
> 7.0"
> 41.236.145.161 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.1" 0 0 "-" "IE
> 7.0"
> 86.145.74.140 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.1" 0 0 "-" "IE
> 7.0"
> 86.145.74.140 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.1" 0 0 "-" "IE
> 7.0"
> 174.94.89.6 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.1" 0 0 "-" "IE 7.0"
> 79.163.193.213 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.1" 0 0 "-" "IE
> 7.0"
> 217.127.141.138 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.1" 0 0 "-" "IE
> 7.0"
> 41.174.55.82 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.1" 0 0 "-" "IE
> 7.0"
> 41.137.57.40 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.1" 0 0 "-" "IE
> 7.0"
> 188.216.9.195 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.1" 0 0 "-" "IE
> 7.0"
> 174.94.42.254 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.1" 0 0 "-" "IE
> 7.0"
> 85.53.186.1 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.1" 0 0 "-" "IE 7.0"
> 90.185.113.115 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.1" 0 0 "-" "IE
> 7.0"
> 190.9.13.80 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.1" 0 0 "-" "IE 7.0"
> 87.93.70.183 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.1" 0 0 "-" "IE
> 7.0"
> 41.234.38.71 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.0" 0 0 "-" "IE
> 7.0"
> 83.49.187.205 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.1" 0 0 "-" "IE
> 7.0"
> 77.255.195.130 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.1" 0 0 "-" "IE
> 7.0"
> 187.32.225.121 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.0" 0 0 "-" "IE
> 7.0"
> 91.3.209.102 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.1" 0 0 "-" "IE
> 7.0"
> 151.50.222.208 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.1" 0 0 "-" "IE
> 7.0"
> 83.45.131.156 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.1" 0 0 "-" "IE
> 7.0"
> 89.152.45.217 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.1" 0 0 "-" "IE
> 7.0"
> 77.27.197.189 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.1" 0 0 "-" "IE
> 7.0"
> 190.132.119.21 - - [08/Dec/2010:23:32:16 +0300] "GET / HTTP/1.1" 0 0 "-" "IE
> 7.0"
> что сделано
> 1. fail2ban натравлен на поиск агента "IE 7.0" - блочит, но не спасает
> 2. временно location = / { return 200; } - не спасает
> 3. if ($http_user_agent = "IE 7.0" ) { return 412;}
> if ($http_referer = "") { return 412;} - тож не стасает
> 4. sysctl - накручен
> sysctl -n kern.ipc.numopensockets
> 90228
> # netstat -Lan
> Current listen queue sizes (qlen/incqlen/maxqlen)
> Proto Listen Local Address
> tcp4 0/0/128 *.4949
> tcp4 0/0/4096 88.212.196.18.443
> tcp4 0/0/4096 88.212.196.18.80
> tcp4 0/0/128 *.22
> tcp4 0/0/500 *.25
> tcp4 0/0/5 88.212.196.18.5666
> tcp4 0/0/20 127.0.0.1.53
> tcp4 0/0/511 127.0.0.1.80
> Some tcp sockets may have been created or deleted.
> unix 0/0/1 /var/run/fail2ban/fail2ban.sock
> unix 0/0/4 /var/run/devd.pipe
> # netstat -m
> 1377/36183/37560 mbufs in use (current/cache/total)
> 754/33038/33792/33792 mbuf clusters in use (current/cache/total/max)
> 36/1628 mbuf+clusters out of packet secondary zone in use (current/cache)
> 0/0/0/16896 4k (page size) jumbo clusters in use (current/cache/total/max)
> 0/0/0/8448 9k jumbo clusters in use (current/cache/total/max)
> 0/0/0/4224 16k jumbo clusters in use (current/cache/total/max)
> 1852K/75121K/76974K bytes allocated to network (current/cache/total)
> 0/17954981/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters)
> 0/0/0 requests for jumbo clusters denied (4k/9k/16k)
> 0/0/0 sfbufs in use (current/peak/max)
> 0 requests for sfbufs denied
> 0 requests for sfbufs delayed
> 1377 requests for I/O initiated by sendfile
> 0 calls to protocol drain routines
> как еще бороться ?????
> _______________________________________________
> nginx-ru mailing list
> nginx-ru@xxxxxxxxx
> http://nginx.org/mailman/listinfo/nginx-ru
>
_______________________________________________
nginx-ru mailing list
nginx-ru@xxxxxxxxx
http://nginx.org/mailman/listinfo/nginx-ru
|