Amazon EC2 DDoS from ‘Typhoeus’ user agent

I’m really getting sick of dealing with downed web servers that result from DDoS attacks from Amazon EC2 space where the user agent is always the Typhoeus client.  Amazon of course is unreachable for abuse complaints unless you’re a company the size of Microsoft, so everyone else is just left to suffer at their mercy.  Here’s the kind of bullshit I’m talking about:

50.16.71.225 – – [05/Aug/2015:01:24:50 -0400] “HEAD /c.html HTTP/1.0” 500 375 “-” “Typhoeus – https://github.com/typhoeus/typhoeus”
54.205.49.66 – – [05/Aug/2015:01:24:50 -0400] “HEAD /c.html HTTP/1.0” 500 375 “-” “Typhoeus – https://github.com/typhoeus/typhoeus”
54.205.49.66 – – [05/Aug/2015:01:24:51 -0400] “HEAD /c.html HTTP/1.0” 500 375 “-” “Typhoeus – https://github.com/typhoeus/typhoeus”
54.163.187.79 – – [05/Aug/2015:01:24:52 -0400] “HEAD /p.html HTTP/1.0” 500 375 “-” “Typhoeus – https://github.com/typhoeus/typhoeus”
54.163.187.79 – – [05/Aug/2015:01:24:51 -0400] “HEAD /c.html HTTP/1.0” 500 375 “-” “Typhoeus – https://github.com/typhoeus/typhoeus”
54.205.49.66 – – [05/Aug/2015:01:24:51 -0400] “HEAD /c.html HTTP/1.0” 500 375 “-” “Typhoeus – https://github.com/typhoeus/typhoeus”
50.16.71.225 – – [05/Aug/2015:01:24:51 -0400] “HEAD /c.html HTTP/1.0” 500 375 “-” “Typhoeus – https://github.com/typhoeus/typhoeus”

Multiply the above by thousands, over the span of a few seconds, and you have yourself the big pile of shit dropped on your doorstop courtesy of Amazon.  I’ve been seeing this for much of 2015, against thousands of IP addresses.

If you need an Apache rewrite to block it:

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} Typhoeus [NC]
RewriteRule ^.*$ - [F,L]

Would love to hear from anyone who’s actually determined what entity keeps doing this.

Someone else with the same issue:

http://schestowitz.com/Weblog/archives/2015/06/28/aws-ddos/

Leave a Reply

Your email address will not be published. Required fields are marked *