Mar 142007
 

Some of you will have noticed that we had a short outage on the FreshPorts webserver yesterday. It would have appeared as if the webserver was not responding. It was being slow. Very slow.

The cause is interesting. When I checked the logs, it was my ad server that was busy. So busy that nobody else could get in. What was interesting was that the requests for ads were not coming from my websites. They were coming from someone else’s website. Here is the first one:

218.80.192.18 – – [13/Mar/2007:10:53:31 -0400] “GET /AdSense/120×600.html HTTP/1.1” 304 – “http://www.googlexia.com/k/” “Mozilla/4.0 (compatib
le; MSIE 6.0; Windows NT 5.1; SV1)”

At this point, there were a several thousand such requests, from a few thousand IP addresses. And what is this referrer? I went and had a look. Eh? It was a copy of the home page for The FreeBSD Diary, complete with Google AdSense ads. Looking at the ads carefully, I could see references to Googlexia in them.

The home page of that domain looked like some search page. I regret not taking screen shots. I was busy. Getting ready to head to a PHP conference, and rescuing my server wasn’t something I wanted to be doing just then.

I emailed the WHOIS registered contacts for that domain, requesting that they remove my contents. It bounced. Nice.

Next step: block the content at Apache so at least it reduces some of the load. Easy to do:

RewriteEngine on
RewriteCond %{HTTP_REFERER} “http://www.googlexia.com/k/” [NC]
RewriteRule .* – [F]

After that, all their requests would be 403, and they would not be getting a Google AdSense ad from me. Why they would want one, I don’t know. Fraud?

This still didn’t solve the server reponse time. My next though was MaxClients. I bumped it from 150 (the default) to 350. That immediately solved the performance issue. The requests were coming so fast, there were not enough httpd processes to handle them all.

Next, I started looking at blocking this guy at the firewall. There’s no sense in letting him fill up my log files. Using pf, I created a table and used that to block him. First, I populated the table like this:

$ grep googlexia /usr/websites/log/ads.unixathome.org-access.log | awk ‘{print $1}’ | sort | uniq > googlexia.blocked

The pf rules to use this file are:

$ grep google /etc/pf.rules
table <googlexia> persist file “/home/dan/googlexia.blocked”
block in quick log inet proto tcp from <googlexia> to any port http

The real problem was he kept changing IP addresses. How do I keep up?

My answer: cronjob.

*/1 * * * * root /home/dan/bin/block_googlexia > /dev/null 2>&1

What is in this crontab?

#!/bin/sh
grep googlexia /usr/websites/log/ads.unixathome.org-access.log | awk ‘{print $1}’ | \
sort | uniq > /home/dan/googlexia.blocked
pfctl -t googlexia -T replace -f /home/dan/googlexia.blocked

This slowed him down to about 5 – 20 queries a minute. That was enough for me.

All up, he did about 213,150 request to my ad server. Then, at 07:50:29 this morning, it stopped. Dead. There were about 11 more queries throughout the day, but that’s about it.

Earlier today the website was empty. Right now, it shows a MiniCom Advanced Systems login.

That cronjob is still running, but I’ll turn it off soon.

What do you think was happening? I have my theories. I’d like to hear yours first.

Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive

  4 Responses to “Using AdSense to launch a DoS attack”

  1. Adsense is my main source of income when making money online. nothing beats adsense when it comes to making money online.

  2. joniipro342@yahoo.com: good to know your AdSense is doing well for you.

    Mind you, you’re also a spammer. I removed the link to your arthritis treatment lab. Please go spam somewhere else.

    Thank you. Best wishes.

  3. Adsense is the best paying make money online program on the internet. I just wish that i could increase my website traffic to high levels so that i could earn more money on Adsense.

  4. Well, Anna Lee , I guess resorting to spamming helps. Your gambling webpage was removed from your post. Better luck in your next life.