[Techtalk] Apache, abuse and nonexistent domains.

[Malcolm Tredinnick]

On Tue, Dec 17, 2002 at 01:41:45AM -0800, Therese Gustafsson wrote:
> Lately I have a lot of logentries in my Apache access_log like this:
> 208.3.113.49 - - [17/Dec/2002:04:34:42 +0100] "CONNECT
> 203.190.194.95:25 HTTP/1.1" 400 379 "-" "-"
> They come from a couple of different ip-numbers and they're trying to
> connect to a lot of servers with different ip-numbers, all on on port
> 25. What is this? Should I get worried?

Looks like a scan to see if you are running a poorly configured proxy on
that port so that the sleazebags running the command can use your proxy
to connect to somewhere else. Port 25 on the machine they are trying to
connect to is usually used by the SMTP daemon (but, of course, it may be
something else entirely and just running on port 25 to allay
suspicions).

If you are using https to connect to a site through a proxy, your web
browser sends a CONNECT command to the proxy (containing the name of the
site to connect to) and gets back an open socket, down which it can
subsequently send GET, PUT, HEAD, etc. requests.

Many proxies (including Squid's default config) will only allow CONNECT
requests to certain ports (e.g. port 443 -- httpd -- and 563 -- nntps)
to avoid this sort of anonymous piggybacking attempt. They will also
only allow connection attempts from certain IP ranges and so on. This is
all pretty standard operating procedure for setting up a securely
configured proxy. Of course, that doesn't stop people from misconfiguring things and it
doesn't stop script kiddies from trying to exploit these weaknesses on
every IP address they can find.

There's nothing you can really do to stop this if you are running a
publically accessible web server, since you have to allow connection
attempts before your web browser can work out if they are legitimate
page requests. Yes, they are stealing your resources, but a web server
is always prone to denial of service style attacks, anyway (whether
intentionally malicious or not).

> I tried it myself and used telnet to connect to my webserver on port
> 80 and wrote what they wrote but all I got back was the html for the
> index webpage. Some of the entries have the code "200" instead of
> "400" like the one above. 

HTTP error code 200 means "OK" -- it's what you normally get from a
succesfuly page retrieval. Code 400 is "Bad request" -- you web server
is (correctly) rejecting the connectiong attempt since it doesn't
understand the CONNECT command (CONNECT is a command for proxies, not
web servers).

> I wanted to report it to the appropriate domain for the ip-numbers, but
> some, like the one above, doesn't resolve to a hostname. I only get
> "Non-existent domain" as an answer. What should I do then?

Many ISPs will not have reverse DNS lookups for all their dynamic IP
addresses. Usually you can close in on the provider by running a
traceroute and looking at the hostnames that are one or two hops before
the end. In the particular case above, it's going to be pretty fiddly,
since they are using the Qwest provider, which has fairly extensive
coverage in the USA. You may need to contact somebody general at Qwest
to find out who the right person to talk to is.

> And when I report it what should I say?
> Should I just attach the appropriate parts of the server logs?

If you can find the ISP providing the IP address, report it to their
abuse at ... email address (they are required to have one, but that doesn't
stop many from not having an abuse address, which means you may have to
explore further to find an appropriate contact). Include the date and
time(s) it occured and the originating IP addresses. Include as much
information as you can provide about the attack (appropriate log file
formats would be reasonable).

The bad news: Do not expect an immediate response. Do not be overly
surprised if you receive nothing more than an automated response from
their mail daemon. I have had very mixed experiences with tracking down
script kiddies in the past (even when I'm doing it as part of my job, so
I'm allegedly representing somebody credible) -- some ISPs care, others
don't. The bigger they are, the less they care, in many cases. If the
problem occurs again after you have notified the ISP, send them another
report with the updated information. Continual refusal to do something
about complaints like this becomes negligence after a while and you can
increase the pressure if you really want to.

If you want to be completely correct about things, keep a record of all
the email, correspondence and telephone calls you have with anybody
about this incident. Preferably, electronically sign any mail you send.
At the end of the day, if the complaint is taken seriously, it could
lead to a prosecution.

For a sporadic attack on a home system, I would tend to send off a
report to the ISP if I was concerned and leave it at that. If the
attacks became more serious or persistent, I might repeat the reports. I
would also consider just firewalling off the IP addresses (and maybe a
block of IP addresses around it) that were doing the attacks so that
they are dropped at your firewall layer, rather than at the web server
itself.

Malcolm

-- 
Telepath required. You know where to apply...