Finding Number of Unique IP Addresses Involved in an Attack

Posted on

Linux command line programWeb servers sometimes get lots of requests from bots looking to exploit security holes. For example previously I have written about brute force WordPress login attempts. Attacks like these can involve thousands of IP addresses and how you block the attack depends on how many unique IPs are involved and the frequency with which they are used. Here’s how you can find out.

Let’s take an attack that is currently doing the rounds on the web. This is an example Apache access log:

49.147.17.165 - - [10/Jul/2013:17:07:36 +0100] "POST /?CtrlFunc_ppppppppqqqqqqqqqqqqqqqqqqqqqq HTTP/1.1" 301 611 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
190.111.86.1 - - [10/Jul/2013:17:07:37 +0100] "POST /?CtrlFunc_fffgggggggggggggggghhhhhhhhhhh HTTP/1.0" 301 611 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
41.96.57.80 - - [10/Jul/2013:17:07:37 +0100] "POST /?CtrlFunc_wwwwwwwxxxxxxxxxxxxyyyyyyyyyyy HTTP/1.1" 301 611 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
190.137.134.95 - - [10/Jul/2013:17:07:37 +0100] "POST /?CtrlFunc_gH1jJ2kcCDweE6f6WxNxNoEe5VwDd4 HTTP/1.1" 301 611 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
186.170.83.133 - - [10/Jul/2013:17:07:37 +0100] "POST /?CtrlFunc_yDThxBPds6Nbq4IWkzDRfu9Nbq4IWk HTTP/1.1" 301 611 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
...

Here’s how to extract the unique IPs and the number of times they are used:

grep CtrlFunc_ /var/log/apache2/access.log | cut -d" " -f1 | sort | uniq -c | sort -rn | less

Let’s see how the above command works:

  • The distinguishing feature is the CtrlFunc part so we grep for that, then use cut to split each line by spaces and extract the first column which contains the IP.
  • The IP addresses are sorted and passed onto uniq. uniq -c displays the unique IPs prepended with a count of the number of times each IP appears in the log file.
  • The list is sorted in reverse numerical order that is from the most used IP to the least.
  • Finally it is passed onto the less pager for easy navigation.

This will display a list like the following:

924 190.223.54.21
573 201.219.30.126
518 202.126.89.251
490 206.222.4.158
390 64.185.223.154
356 175.110.145.18
343 71.6.62.2
339 202.29.223.134
...

So you can see that the IP 190.223.54.21 is used 924 times, 201.219.30.126 573 times and so on.

You may also be interested in knowing how many unique IPs are used in total. That is easily done:

grep CtrlFunc_ /var/log/apache2/access.log | cut -d" " -f1 | sort | uniq | wc -l

In the above instance we are simply passing on the list of unique IP addresses one per line to wc and asking it to count the number of lines with the -l switch. That gives us the total number of unique IP addresses used in the attack.

Leave a Reply

Your email address will not be published. Required fields are marked *