My blog under attack
I've been having some issues with my blog site lately. There has been an ongoing distributed attack from multiple IP addresses on the site. I haven't confirmed this for sure, but it seems to be targeting the MovableType platform I'm running, maybe by overwhelming the comment system.
I made the move from a homegrown blogging platform to MovableType several years ago because I felt MT was doing some cool things with regard to content aggregation, comment plugins, and other features. Since then, however, MT has gone a direction I simply can't follow them with.
For example, the new versions of MovableType require that sites use MySQL as the backend database engine. Older versions of MovableType allowed sites to use MySQL, PostgreSQL, or SQLite. This ambiguity was possible due to the fact MovableType was written in Perl and used the DBI Perl module to access with the backend database server. DBI provides an abstraction layer between SQL queries submission code and the actual RDBMS engine being used.
For whatever reason the MT maintainers have, they've required that newer installations only work on MySQL. I'm a PostgreSQL snob and prefer to use it over MySQL anywhere and anytime I can.
Now I'm strongly considering going back to a homegrown blogging solution taking many of the lessons I've learned from using MovableType over the years and incorporating them into a new blogging platform.
Responding to the attack
The attack on my server was pretty bad. It was affecting my ability to send and receive e-mail and was shooting the load average on the server over 100. It was bad.
One of the first things I did was install mod_security on the server. I don't know why I hadn't done that before, but I hadn't gotten around to it. This helped thwart a sizable chunk of the bot requests coming in, but there were still some getting through.
I didn't really have time to do a more thorough analysis when I first found out about the attack. I just needed to do something so that e-mail on the server still flowed appropriately. So, I moved the documents directory where all the MovableType scripts and user-installed files were out of the way and created a new empty documents directory. After doing this, all the requests would get 404 responses.
Later, I also created custom firewall rules blocking access to port 80 for IP addresses that were recorded in the Apache access log more than a couple hundred times. Watching the log file, the malicious requests continued to come in. I'd have to continue to monitor the logs for new IP addresses that had accumulated a theshold level of requests and create new firewall rules for those IP addresses.
Looking closer at the requests, I noticed they all had the same user-agent string.
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)
This is an old Microsoft Internet Explorer version 6 string. Nobody should be using that browser anymore. I'm fairly certain these requests are not coming from an actual browser anyway, but are forged by a script running on compromised machines. So, to be careful, my site simply refuses to service any requests from user agents that have "MSIE 6.0" in their agent string.