I have recently started hosting some patches for the game World of Warcraft on my server for the general public. These patches range from 2MB to over 400MB. This does not use up a lot of my bandwidth when the average user wants to download a patch to patch their game, but i think i have recently been the target of a DoS/DDoS attack. Here is a small sample of my Apache Logfile:

85.94.94.197 - - [25/Jun/2007:12:14:54 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 206 272504844$
85.94.94.197 - - [25/Jun/2007:12:14:46 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 206 278866299$
85.94.94.197 - - [25/Jun/2007:12:14:19 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 206 265269077$
85.94.94.197 - - [25/Jun/2007:12:06:22 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 200 283880365$
85.94.94.197 - - [25/Jun/2007:12:13:35 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 206 275930571$
85.94.94.197 - - [25/Jun/2007:12:17:15 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 206 280953233$
85.94.94.197 - - [25/Jun/2007:12:18:03 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 206 280883564$
85.94.94.197 - - [25/Jun/2007:12:16:09 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 206 278470430$
85.94.94.197 - - [25/Jun/2007:12:15:30 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 206 272492576$
85.94.94.197 - - [25/Jun/2007:12:08:24 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 206 268983965$
85.94.94.197 - - [25/Jun/2007:12:18:58 +0000] "GET /files/wow-patches/WoW-2.0.12-to-2.1.0-enUS-Final.rar HTTP/1.1" 206 271350508$

The file in question that they downloaded was 271MB. From the logs I can also see that they have downloaded several other of the smaller patches.

If you look at the timestamps, they are generally about 5 minutes apart. Im not sure whether the logs show when the file was complete or when it was started.

Also, by looking at my bandwidth usage for the past 24 hours (thansk to the dashboard) i can see ive only used about 1.25GB. This is somewhat high, but not absurd for the ammount of traffic that my site gets.

ive had roughly 50-70 request for a 271MB file, which would add up to atleast 13GB of bandwidth used. It appears as if they initated the file repeatedly, but didnt actualy download it... Almost as if it were a HTTP form of a SYN attack. Do you think that this is just some person who is trying to attack me and getting no where, or some poor person with a bad connecting trying to DL a large file?

Thanks,
Smark

PS. Sorry if its a little long, I was on lunch at work and had some spare time.
PSS. Also, why arnt the log times in order? I used the grep command to just read todays log (grep "25/Jun/2007"), but that shouldnt change the order, should it?

I tried to download a large file from my apache webserver, canceled it, and looked at the log. The entry was there. So a download does not have to be complete to show up in the log.



Maybe the users ip changes once every 5 minutes? That would break the download. Maybe the users client tries to resume the download from where it got disconnected.

http://64.233.183.104/search?q=cache:Wi ... =clnk&cd=2

As you can see in the above link, the "206" http status code means "Partial Content". So I'd guess it's just a normal download that keeps getting disconnected. Perhaps he is using Tor (tor.eff.org) or something similar? That would cause frequent ip changes.



I ran the same command. My list was in the correct order. Strange.

Grep won't reorder the lines. My guess would be that the timestamp shows when the transfer started, but the line isn't written to the logfile until the transfer ends.

Some download clients perform a number of partial downloads at the same time. They claim this speeds up downloads.

Ok, so ive had another large bandwidth spike today, 2.5GB. Is there an easy way to find out which ports/processes are using up all the bandwidth? Ive downloaded ntop and its installed, but it'll only show the protocols that have used the most bandwidth in the last minute... something with a 24 hour monitor would be better.

Thanks,
Smark

As someone mentioned already, HTTP 206 means a partial download, so there's a good chance this person could just be on dial-up or wifi or something of that sort, and are using a download manager like Getright to download it. Resuming it lots of times might appear like that. I know people that use both types of connections in rural areas, and both suffer frequent disconnects. If your log files included the user agent, it might be more revealing to the user in question.

In any case, if you're truly worried, you could just ban the IP at the firewall level.