Announcement

Collapse
No announcement yet.

DOS attack on my HS web server?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    DOS attack on my HS web server?

    Recently, I came home to find a negative WAF.
    The home automation PC and TV Guide server was kaput. Running at a snail's pace. The PC screen showed "Virtual Memory Low" popup.

    I stopped HS and looked at the ah.log file. It was 535Megabytes!! I renamed ah.log and and restarted HS. Things are normal.

    I did a more command on the errant ah.log file. What I saw was that after a few days, the following message repeated over and over causing the 500MB file:

    8/7/2005 3:09:15 AM~!~Info~!~ Got data but was not PUT or GET
    8/7/2005 3:09:15 AM~!~Info~!~ Got data but was not PUT or GET
    8/7/2005 3:09:15 AM~!~Info~!~ Got data but was not PUT or GET
    This went on until 3:09:24 AM and caused several hundred such errors in the log. About 150 or 200 per second.

    Then it stopped and the log looks normal - until 8/9/05 at 11AM. The error started again and repeated hundreds of times per second for a long time. I can't tell in detail as I have no text editor which will view the 500MB file. The tail command utility shows that a day or two later it was still happening, and the very end of this big log was a dozen lines of normal log events.

    Of course, this happened while I was away on a business trip. My wife says each time I go, it assures that the automation PC will crap out and it rarely craps out when I am home.

    Did someone do a DOS attack on port 80 several times? If so, how did they blast so many HTTP transactions per second?

    Why would I have a virtual memory full error due to this big file? Or is it some memory leak due to the weird conditions?

    Should HS's web server detect DOSes and react?

    Any clues?

    It hasn't happened since.
    Yet.

    #2
    I see same message now and again, but no where near the frequency you speak of. Some kind of bot poking your webserver is my guess. This issue has been posted numerous times before and everyone has said "don't worry bout it". The frequency of attack brings up possible real issues in the handling of large log files. I think HS2 has a user defined configuration of how big the log file is allowed to get. Possibly to address this large log issue.

    Not sure if that setting is just how much can be held in the window, or how much can actually be in the file. I use UltraLog so I don't care that the homeseer log is only allowed to get X big as Ultralog copies each log entry into an access database.

    Comment


      #3
      Another possibility was someone threw a dictionary at you or tried a brute force password cracker.

      Those silly people, we don't run IIS.

      When I went to HS 2.0, I went off of port 80.


      ~Bill

      Comment


        #4
        The logging utility should probably be modified to list the offending IP address. With my apache log files, the IP address is the first thing listed. It probably would be good to have some type of utility to check the size of the log files on a periodic basis and make a notification when the size exceeds a set value. The size check would also give an early warning of developing issues.
        Why I like my 2005 rio yellow Honda S2000 with the top down, and more!

        Comment


          #5
          The first and easiest way to avoid this is to move off of port 80. I'm really surprised your ISP allow access to port 80. Ours shut that down on all of us customers just in case we were running that web server from home "illegally" 99% of this type of exploit is at port 80. Secondly just turn off the web server logging and it will not fill up that log. If you really want to monitor they web activity I would recommend one of the rolling log plugins like Ultra Log or others.
          💁‍♂️ Support & Customer Service 🙋‍♂️ Sales Questions 🛒 Shop HomeSeer Products

          Comment


            #6
            I think they said now the average unprotected PC on the Internet gives attacked in under 40s, a bit depressing, huh? I moved my Homeseer to a really high port and it's never been hit (as most port scanner on average only look at the most common ports). A bit off topic, but my pbx had been sitting in my dmz for a few weeks running iptables to lock down ports, however I noticed that I was having strange network problems after a couple weeks. Well the automated port scanners figured out I had SSH open, so they would then initiate a dictionary attack and kill my network connection (mind you I have 8mb/768k, so that's how intense it was.) My friend wrote a neat perl script for Linux that autoblocks the IP after a couple attempts, and no more problems. I have at least one attack a day against me at this point, from all over the world. Many of them if I trace it back are from already hacked machines (typical web hosts.)

            -Mike

            Comment


              #7
              My employer, like many big paranoid corporations, allows outbound connections only on FTP/TELNET/HTTP/HTTPS on the standard ports. So if I don't use port 80, I'm hosed for viewing at work.

              What would help here is for HS's web server to have anti-DOS capabilities (excessive accesses to port 80 from some IP).

              I suppose I could, with some struggle, get my Linksys WRT54G router running Talisman (shareware) to do this.

              Comment

              Working...
              X