DOS Attack of 10/10/12

On October 10, 2012, the CPU utilization was pegged pretty high on the site:

Obviously, something was abnormal. A scan of the logs showed what appeared to be a Denial of Service (DOS) Attack. The malicious traffic originated from ip address 180.228.172.138 [lookup this ip]

The traffic appeared as:

180.228.172.138 - - [10/Oct/2012:11:51:02 -0400] "POST /wp-login.php HTTP/1.1" 503 929 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0"
180.228.172.138 - - [10/Oct/2012:11:51:02 -0400] "POST /wp-login.php HTTP/1.1" 503 929 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0"
180.228.172.138 - - [10/Oct/2012:11:51:02 -0400] "POST /wp-login.php HTTP/1.1" 503 929 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0"
180.228.172.138 - - [10/Oct/2012:11:51:02 -0400] "POST /wp-login.php HTTP/1.1" 503 929 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0"
180.228.172.138 - - [10/Oct/2012:11:51:02 -0400] "POST /wp-login.php HTTP/1.1" 503 929 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0"
180.228.172.138 - - [10/Oct/2012:11:51:02 -0400] "POST /wp-login.php HTTP/1.1" 503 929 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0"
180.228.172.138 - - [10/Oct/2012:11:51:02 -0400] "POST /wp-login.php HTTP/1.1" 503 929 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0"

 

In some cases, this IP was sending 50 POST requests per second in an attempt to bog down the server and deny access to legitimate users.

Print Friendly

4 Comments

Leave a Reply