CMS Made Simple Forums

I have recieved a mail from my hosting company, that their server has been down, due to attacks on the site through HEAD-requests. The site runs 1.10.3 and modules are all running the latest version. The hosting company seems to think this is a weakness in CMSMS. It is presently fixed by them in the .htaccess file, by inserting these lines:
Can anything else be done to repel these attacks?

They look like this (x 100) in the server log:

72.232.7.29 - - [22/May/2012:07:01:53 +0200] "HEAD /bevis-jeres-vard-imr.htm HTTP/1.0" 200 0 "-" "WordPress/3.4-beta4-20825; http://universalgeni.wordpress.com"

72.233.2.39 - - [22/May/2012:07:01:53 +0200] "HEAD /internationalt.htm HTTP/1.0" 200 0 "-" "WordPress/3.4-beta4-20825; http://universalgeni.wordpress.com"

72.232.7.29 - - [22/May/2012:07:01:53 +0200] "HEAD /bevis-jeres-vard-imr.htm HTTP/1.0" 200 0 "-" "WordPress/3.4-beta4-20825; http://universalgeni.wordpress.com"

Cms Version: 1.10.3

Installed Modules:

CMSMailer: 2.0.2
ModuleManager: 1.5.3
MenuManager: 1.7.7
ThemeManager: 1.1.4
Search: 1.7
TinyMCE: 2.9.6
CGExtensions: 1.28.2
NMS: 2.4.3
Gallery: 1.5.3
Search: 1.7
CGSimpleSmarty: 1.5
CGFeedback: 1.5.4
AkismetCheck: 0.2.1
News: 2.12.3
CGBlog: 1.9.5
JQueryTools: 1.0.10
CGFeedMaker: 1.0.15
FileManager: 1.2.0
CGSmartImage: 1.8.2
CGFavs: 1.0.4


Config Information:

php_memory_limit: 128M
process_whole_template: false
output_compression: false
max_upload_size: 100000000
default_upload_permission: 664
url_rewriting: mod_rewrite
page_extension: .htm
query_var: page
image_manipulation_prog: GD
auto_alias_content: true
locale: da_DK.UTF-8
default_encoding: utf-8
admin_encoding: utf-8
set_names: false


Php Information:

phpversion: 5.2.6-1+lenny16
md5_function: Fra (Sand)
gd_version: 2
tempnam_function: Fra (Sand)
magic_quotes_runtime: Til (Falsk)
E_STRICT: 0
memory_limit: 128M
max_execution_time: 30
output_buffering: Fra
safe_mode: Til (Falsk)
file_uploads: Fra (Sand)
post_max_size: 32M
upload_max_filesize: 32M
session_save_path: Kan ikke kontrolleres pga af at open_basedir er aktiv
session_use_cookies: Fra (Sand)
xml_function: Fra (Sand)


Server Information:

Server Api: apache2handler
Server Db Type: MySQL (mysql)
Server Db Version: 5.0.51a

a: HEAD requests are valid requests to web pages, frequently used to see if a page has changed. Some link-back mechanisms will issue head requests so that they can update their caches or content based on links to your sites.

b: CMSMS does not do anything special wrt HEAD requests. it's treated the same as a GET request or something.

I would suspect that it's something specific about THOSE head requests (the URLS that they are requesting). or the amount of them, or something special about your servers configuration. Or maybe a PHP bug. But don't think it's anything in CMSMS. For curiosity I did a couple of thousand HEAD requests to a couple of CMSMS websites and had no difficulties.

Typically if there is a bug in PHP that causes php to crash based on some bug then this only effects that one request or a group of requests,. and does not bring the server down (though load can be increased). If there are a tonne of requests that cause load to increase dramatically then THAT can bring the server down.

So conclusion:
What are the errors on the server?
Are you only getting occasional HEAD requests or tonnes of them?

Okay, thanks for clarifying about HEAD requests.

It is indeed the amount of requests that has brought the server down.
A closer look at the server logs show this pattern:
12 requests in 1-2 minutes for one page.
12 for another page on the same site in the same amount of time.
12 requests for a third page, ditto.
12 requests for a fouth page
and so on....

The pattern for the 12 requests for one page:
ip 72.233.2.39 - 1 request
ip 72.232.7.32 - 3 requests
ip 72.232.7.31 - 1 request
ip 72.232.7.29 - 6 requests
ip 72.233.2.39 - 1 request

So I guess it is an attack specifically aimed at this site.....?
One of the webhost supporters suggested to look for a module that could block that kind of multiple requests, but this is I guess not possible, when some of them are single requests, similar to a legit request, just grouped together.

So far HEAD requests is blocked via htaccess.
This will not work well with caching, I guess?

regards, Lone

A few dozen requests inside of one minute is not a DDOS attack.

I am thinking your page is encountering some type of PHP bug. But there is no way (without alot of digging) to know for sure. Only solution to that is for your host to upgrade php...

Now, killing all HEAD requests will solve the problem temporarily. CMSMS doesn't use the E-Tag (if you've disabled them in the .htaccess) it tells the browser to cache until a certain date/time. Therefore I don't think that caching would be effected.

Hi again

Sounds good about the caching not being affected.
The webhost has a sceduled upgrade of the server coming soon, it hopefully will solve this problem.

regards, Lone