Server log extreme size (atack?)

george.serban · January 24, 2020, 5:03pm

Hi Team
for the last 3 days my tomcat access logs are increasing a lot, like 5gb / day.
Most lines are like:
10.66.66.10 - - [24/Jan/2020:09:24:40 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 11757
10.66.66.10 - - [24/Jan/2020:09:24:41 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 17476
10.66.66.10 - - [24/Jan/2020:09:24:42 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 18255
10.66.66.10 - - [24/Jan/2020:09:24:45 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 349
10.66.66.10 - - [24/Jan/2020:09:24:46 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 827
10.66.66.10 - - [24/Jan/2020:09:24:52 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 827
10.66.66.10 - - [24/Jan/2020:09:24:55 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 162
10.66.66.10 - - [24/Jan/2020:09:24:55 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 162
10.66.66.10 - - [24/Jan/2020:09:24:55 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 36032
10.66.66.10 - - [24/Jan/2020:09:24:59 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 17477
10.66.66.10 - - [24/Jan/2020:09:25:00 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 18257
10.66.66.10 - - [24/Jan/2020:09:25:13 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 12701
10.66.66.10 - - [24/Jan/2020:09:25:15 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 17902
10.66.66.10 - - [24/Jan/2020:09:25:15 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 19608
10.66.66.10 - - [24/Jan/2020:09:25:17 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 12488
10.66.66.10 - - [24/Jan/2020:09:25:20 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 14528
10.66.66.10 - - [24/Jan/2020:09:25:21 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 23888
10.66.66.10 - - [24/Jan/2020:09:25:27 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 877
10.66.66.10 - - [24/Jan/2020:09:25:29 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 12276
10.66.66.10 - - [24/Jan/2020:09:25:35 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 18395
10.66.66.10 - - [24/Jan/2020:09:25:36 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 558
10.66.66.10 - - [24/Jan/2020:09:25:37 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 7705
10.66.66.10 - - [24/Jan/2020:09:26:30 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 6715
10.66.66.10 - - [24/Jan/2020:09:26:31 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 3564
10.66.66.10 - - [24/Jan/2020:09:26:33 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 5236
10.66.66.10 - - [24/Jan/2020:09:26:42 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 178
10.66.66.10 - - [24/Jan/2020:09:26:46 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 231
10.66.66.10 - - [24/Jan/2020:09:26:48 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 179
10.66.66.10 - - [24/Jan/2020:09:26:55 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 231
10.66.66.10 - - [24/Jan/2020:09:26:58 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 259
10.66.66.10 - - [24/Jan/2020:09:26:59 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 8036
10.66.66.10 - - [24/Jan/2020:09:27:31 +0200] “POST /app/HEARTBEAT/?v-uiId=0 HTTP/1.1” 200 -
10.66.66.10 - - [24/Jan/2020:09:29:09 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 4461
10.66.66.10 - - [24/Jan/2020:09:29:16 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 183
10.66.66.10 - - [24/Jan/2020:09:29:34 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 235
10.66.66.10 - - [24/Jan/2020:09:29:36 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 182
10.66.66.10 - - [24/Jan/2020:09:29:43 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 235
10.66.66.10 - - [24/Jan/2020:09:30:32 +0200] “POST /app/HEARTBEAT/?v-uiId=0 HTTP/1.1” 200 -
10.66.66.10 - - [24/Jan/2020:09:30:51 +0200] “POST /app/HEARTBEAT/?v-uiId=1 HTTP/1.1” 200 -
10.66.66.10 - - [24/Jan/2020:09:31:01 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 266
10.66.66.10 - - [24/Jan/2020:09:31:01 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 8147
10.66.66.10 - - [24/Jan/2020:09:31:08 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 4461
10.66.66.10 - - [24/Jan/2020:09:31:12 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 183
10.66.66.10 - - [24/Jan/2020:09:31:17 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 235
10.66.66.10 - - [24/Jan/2020:09:31:19 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 182
10.66.66.10 - - [24/Jan/2020:09:31:23 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 235
10.66.66.10 - - [24/Jan/2020:09:31:26 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 266
10.66.66.10 - - [24/Jan/2020:09:31:26 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 8228
10.66.66.10 - - [24/Jan/2020:09:31:39 +0200] “POST /app/UIDL/?v-uiId=0 HTTP/1.1” 200 8117

10.66.66.10 is my reverse proxy IP so I don’t know the real IP.
Is this some kind of attack?
What course of action do you recommend?

Thanks
George

peterson.br · January 26, 2020, 12:47pm

Hi @george.serban,
I would first take a look at the reverse proxy logs. You should be able to inspect the source of requests.

Another approach you may be insterested is in configuring both your reverse proxy and tomcat to expose the real client IP address. This way the real client IP would be shown in tomcat access logs. Take a look at this example for tomcat and nginx.

Regards.