为了保护隐私,除了最后一个八位字节外,IP 隐藏在 apache 日志中。/billing 是我们的应用程序起始页。但它发送 POST 请求并得到 500 响应是没有意义的。
或者也许这是合法的旧 IE 7 浏览器无法处理我们的网站,ant 会进入循环?
大约有 20000 个这样的请求
xx.xx.xx.223 - - [30/May/2014:13:40:54 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
xx.xx.xx.223 - - [30/May/2014:13:40:54 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
xx.xx.xx.223 - - [30/May/2014:13:40:54 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
xx.xx.xx.223 - - [30/May/2014:13:40:54 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
xx.xx.xx.223 - - [30/May/2014:13:40:55 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
xx.xx.xx.223 - - [30/May/2014:13:40:55 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
xx.xx.xx.223 - - [30/May/2014:13:40:56 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
xx.xx.xx.223 - - [30/May/2014:13:40:56 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
xx.xx.xx.223 - - [30/May/2014:13:40:56 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
xx.xx.xx.223 - - [30/May/2014:13:40:56 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
xx.xx.xx.223 - - [30/May/2014:13:40:58 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
xx.xx.xx.223 - - [30/May/2014:13:40:58 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
xx.xx.xx.223 - - [30/May/2014:13:40:58 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
xx.xx.xx.223 - - [30/May/2014:13:40:59 +0200] "POST /billing HTTP/1.1" 500 613 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
答案1
这不出现这可能是 slowloris 攻击,至少根据您发布的日志文件来看并非如此(每秒 3 个请求并不多,而且它们会出错,无法保持打开状态)。
不过,也可能是其他原因 - 请查看错误日志以获取更多信息为什么请求失败。
正如其他人指出的那样,我们不能明确地在没有更多信息的情况下排除 slowloris(具体来说,netstat输出显示有多少同时您的系统已从主题 IP 收到
大量连接。同时连接(和/或显示连接超时而不是由于其他原因出错的错误日志)将表明这实际上是一次 slowloris 攻击。
这是一只懒猴:
这与我的回答无关——我只是想找个借口发布一张可爱的树懒照片。
答案2
我发现使用LogFormat包含很有用%D。它将告诉您处理请求花费了多少微秒。它不会告诉您时间是花在服务器端处理上还是等待客户端。但至少它会告诉您哪些请求花费了很长时间,这些通常值得调查。