bot net get request attack mitigation?
Posted on 2004-04-30
It seems we have a bot net of roughly 10000 computers sending hudreds of the following request per second to one of our customer's web servers:
[30/Apr/2004:17:16:56 -0700] "GET
which comes with an accompanying error_log entry as follows:
Fri Apr 30 17:18:59 2004] [error] [client x.x.x.x] (36)File name too
long: access to /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA denied
We have tried writing a script to detect these bots on the fly and add them to the server's iptables, but the server quickly becomes overwhelmed with 1500+ iptables entries. We have also tried adding ACLs at our core switches in order to help mitigate the attack, but unfortunately they have a 500 ACL limit. The ips of the bots seem to sufficiently change every hour on the hour such that it makes us believe there are nearly an unlimited amount of bots at this person(s) disposal.
Anyone ever seen something like this before and/or have advice as to how to combat it? Could this be an apache related problem as well relative to apache responding in an inefficient manner to the unusually long urls?