　contents

海外から大量のアクセス攻撃　⇦今ここ
apacheでアクセス制限
ファイヤーウォールで遮断

この間、ふと自分のサイトを見たらやたら、アクセスできるまで時間がかかった。。。
リロードしてもやっぱり重い

ということでサーバのリソースを見てみると・・・・CPU、disk I/O共にいつもよりかなりリソースの消費が激しかった
cpu
disk-io

トラフィック量とかアクセス数とかconohaのコンソールでわかれば一番いいのですが。
cpuとdisk I/Oをみると、disk I/Oのwriteが高いので、アクセスが大量にあり、logの書き込みに負荷がかかっているのかなと思い、apacheのアクセスログを見てみると。。。

191.96.249.54 - - [24/Aug/2016:09:38:56 +0900] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [24/Aug/2016:09:38:56 +0900] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [24/Aug/2016:09:38:56 +0900] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [24/Aug/2016:09:38:56 +0900] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [24/Aug/2016:09:38:58 +0900] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [24/Aug/2016:09:38:58 +0900] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [24/Aug/2016:09:39:09 +0900] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [24/Aug/2016:09:39:11 +0900] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [24/Aug/2016:09:39:11 +0900] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [24/Aug/2016:09:39:12 +0900] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [24/Aug/2016:09:39:12 +0900] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [24/Aug/2016:09:39:14 +0900] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [24/Aug/2016:09:39:15 +0900] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [24/Aug/2016:09:39:18 +0900] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [24/Aug/2016:09:39:19 +0900] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [24/Aug/2016:09:39:19 +0900] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [24/Aug/2016:09:39:20 +0900] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [24/Aug/2016:09:39:20 +0900] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [24/Aug/2016:09:39:21 +0900] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

191.96.249.54 - - [24/Aug/2016:09:38:56 +0900] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

191.96.249.54 - - [24/Aug/2016:09:38:58 +0900] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

191.96.249.54 - - [24/Aug/2016:09:39:09 +0900] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

191.96.249.54 - - [24/Aug/2016:09:39:11 +0900] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

191.96.249.54 - - [24/Aug/2016:09:39:12 +0900] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

191.96.249.54 - - [24/Aug/2016:09:39:14 +0900] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

191.96.249.54 - - [24/Aug/2016:09:39:15 +0900] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

191.96.249.54 - - [24/Aug/2016:09:39:18 +0900] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

191.96.249.54 - - [24/Aug/2016:09:39:19 +0900] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

191.96.249.54 - - [24/Aug/2016:09:39:20 +0900] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

191.96.249.54 - - [24/Aug/2016:09:39:21 +0900] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

こんなログが大量に出てきました。
攻撃されている感満載ですｗ

どこから攻撃されてるのかwhoisコマンドで調べてみると

# whois 191.96.249.54
[Querying whois.lacnic.net]
[whois.lacnic.net]

% Joint Whois - whois.lacnic.net
%  This server accepts single ASN, IPv4 or IPv6 queries
 
% LACNIC resource: whois.lacnic.net


% Copyright LACNIC lacnic.net
%  The data below is provided for information purposes
%  and to assist persons in obtaining information about or
%  related to AS and IP numbers registrations
%  By submitting a whois query, you agree to use this data
%  only for lawful purposes.
%  2016-11-01 22:20:18 (BRST -02:00)

inetnum:     191.96.249/24
status:      reallocated
owner:       Dmzhost Limited
ownerid:     SC-DMLI1-LACNIC
responsible: JUPITER 25 LIMITED
address:     Francis Rachel Street, , Suite 1, Second Floor
address:      - Victoria - 
country:     SC
phone:       +248 371 23801010 []
owner-c:     CHP23
tech-c:      CHP23
abuse-c:     CHP23
created:     20151217
changed:     20160423
inetnum-up:  191.96/16

nic-hdl:     CHP23
person:      CRS P
e-mail:      abuse@DMZHOST.CO
address:     Suite 4 Second Floor, , 
address:      - Victoria - 
country:     SC
phone:       +248  37123801010 []
created:     20160423
changed:     20160522

% whois.lacnic.net accepts only direct match queries.
% Types of queries are: POCs, ownerid, CIDR blocks, IP
% and AS numbers.

# whois 191.96.249.54

[Querying whois.lacnic.net]

[whois.lacnic.net]

% Joint Whois - whois.lacnic.net

% This server accepts single ASN, IPv4 or IPv6 queries

% LACNIC resource: whois.lacnic.net

% Copyright LACNIC lacnic.net

% The data below is provided for information purposes

% and to assist persons in obtaining information about or

% related to AS and IP numbers registrations

% By submitting a whois query, you agree to use this data

% only for lawful purposes.

% 2016-11-01 22:20:18 (BRST -02:00)

inetnum: 191.96.249/24

status: reallocated

owner: Dmzhost Limited

ownerid: SC-DMLI1-LACNIC

responsible: JUPITER 25 LIMITED

address: Francis Rachel Street, , Suite 1, Second Floor

address: - Victoria -

country: SC

phone: +248 371 23801010 []

owner-c: CHP23

tech-c: CHP23

abuse-c: CHP23

created: 20151217

changed: 20160423

inetnum-up: 191.96/16

nic-hdl: CHP23

person: CRS P

e-mail: abuse@DMZHOST.CO

address: Suite 4 Second Floor, ,

address: - Victoria -

country: SC

phone: +248 37123801010 []

created: 20160423

changed: 20160522

% whois.lacnic.net accepts only direct match queries.

% Types of queries are: POCs, ownerid, CIDR blocks, IP

% and AS numbers.

countryを見るとSCとあります。
国コードなのですが、聞いたことない国なので調べて見たところ・・・「セーシェル」
どこ？？

google Mapで調べて見ると

アフリカの東にある海の綺麗そうなところでした。
一見こんなところからって感じですが、踏み台にされているケースもあるかもしれませんね。
とりあえず、攻撃受けているので、ACLでの遮断、さらにサーバのファイヤーウォールで遮断を行います。

新着情報

この記事を読んだ方はこんな記事も読まれています。