Over the past few days I noticed that my server web traffic was going up to about 10 GB/day, and it turned out that almost all of it was in the form of about 1 million requests per day of the following format: What comes after 'memberlist.php' varies somewhat. Different IDs are used every single time. The character in 'first_char=' is systematically changed. Sometimes, it's 'mode=viewprofile' instead of 'first_char=i', etc.
They all got 200 responses and were served different amount of data, usually around 6-7 kB. Now, here is the kicker: every single request is from a different IP address! That suggests to me that some serious IP spoofing is going on. For now, I turned off the forum in apache. I am still getting the same number of requests, but they now all get a 403 response with exactly the same number of bytes.
What could be going on? What could an attacker gain with this kind of request? What can I do?
Who would mount such a sophisticated-looking attack? I don't consider my site as a high-value target. It is WWW-facing, but only limited to a small group, with no sign-up option.
Should I be scared???
Code:
/forum/memberlist.php?first_char=i&sid=8841cfbe0f01acc716974fb481793344They all got 200 responses and were served different amount of data, usually around 6-7 kB. Now, here is the kicker: every single request is from a different IP address! That suggests to me that some serious IP spoofing is going on. For now, I turned off the forum in apache. I am still getting the same number of requests, but they now all get a 403 response with exactly the same number of bytes.
What could be going on? What could an attacker gain with this kind of request? What can I do?
Who would mount such a sophisticated-looking attack? I don't consider my site as a high-value target. It is WWW-facing, but only limited to a small group, with no sign-up option.
Should I be scared???
Statistics: Posted by hasinasi — Tue Mar 04, 2025 11:07 pm
