View Full Version : [ubuntu] WhatsUP DOS attack

May 21st, 2008, 01:09 AM
Have you experienced this attack to apache2? - - [21/May/2008:08:05:33 +0800] "HEAD / HTTP/1.0" 200 - "-" "WhatsUp/1.0"

It is in my apache2 log for every second. I have blocked the IP using iptables:

iptables -A INPUT -s -j DROP
iptables -A OUTPUT -d -j DROP

but it can still access my apache server.

any suggestions for resolving this?

thanks in advance.

May 21st, 2008, 01:16 AM
Erm... That is a non-routable IP so I think you're missing something. Furthermore, if you blocked it with IPtables, it wouldn't be able to hit apache anymore.

The whatsup tool is from http://www.ipswitch.com/
I highly doubt this is an intentional denial of service.
Without knowing more about your network topology, I wouldn't want to venture any more guesses.

Good luck

May 21st, 2008, 01:24 AM
So you mean it's not a DOS attack? Then why it is accessing my apache server?

May 21st, 2008, 01:28 AM
From doing a quick google search on that user agent, tt appears that is generated by an Ipswitch product called WhatsUp, which is used for network monitoring. Someone on your lan using the product?


May 21st, 2008, 01:30 AM

May 21st, 2008, 01:31 AM
We have several switches so i think someone is using that product. so is there any explanation why this program or software is accessing my web server (apache2) ?

May 21st, 2008, 01:34 AM
Sounds like a question for the people on your network who are using the application. :)

May 21st, 2008, 01:35 AM
We have several switches so i think someone is using that product. so is there any explanation why this program or software is accessing my web server (apache2) ?
If you can pinpoint it to a particular machine, you might want to start asking questions. But be nice - there might be an innocent explanation.

May 21st, 2008, 01:40 AM
when i nbtstat the IP ( it pinpoints to a machine or PC.

and i have researched the WhatsUP 1.0 and i have found some sites stating that this is a DOS attack or exploit from a router or switch.

Do you have any suggestions or programs that i might install to prevent DOS attacks in my apache2 server? because i dont want to confront the person who is responsible to this, all i want is to show him that i can defend or protect my server without pleasing him to stop. hope you got the idea. :)


May 21st, 2008, 01:46 AM
WhatsUp Gold is a network management and monitoring tool. It is NOT an exploit or DoS attack tool. Just politely ask them why it might be sending queries to your apache server.

May 21st, 2008, 04:40 AM
Someone probably did a scan with whatsup, and didn't set any limits. Once a machine is configured in whatsup, it will continue to scan that machine unless told otherwise. It can be configured to scan specific ports and web pages for uptime. Add an access directive to your apache configuration to block it, though it doesn't look like any pages are being served anyway...

May 21st, 2008, 07:58 AM
i would go strate to him not like its doing any harm, just ask to to exit the program or/and uninstall it (asumeing windows PC)

if you do not want to just black list his ip on the router (asumeing thats running linux and you have access to it) he will come to you and you can just say this IP was attacking an computer on the network so it blocked it on its own to stop it

is its your boss pc or somthing

The Cog
May 21st, 2008, 10:59 PM
My guess is that Whatsup did an automatic discovery of things on the network and started polling them periodically to make sure they are still working. If the web service stops, an icon on whatsup will change colour to indicate a failure.

Autodiscovery is a quick and easy way to begin monitoring a network for failures by network admin staff.

May 26th, 2008, 12:45 AM
So you mean it's not a DOS attack? Then why it is accessing my apache server?

BTW I'm aware of at least two meanings for the acronym "DOS" (Disk Operaging System and Denial Of Service) but the team here is probably aware of that. I remember being vaguely baffled at first by talk of "COM" files for Windows (again, more than one meaning, COMmand and COMponent)

p.s Please go easy on me - perhaps the literal-minded autistic side to my makeup is making a nuisance of itself

June 2nd, 2008, 04:34 AM
thanks for the clarifications.. now iam more aware about this WhatsUp thing.

what i have done is block that ip using iptables...

But iam still confused, can WhatsUp be used as a Denial of Service attack?

June 18th, 2008, 03:36 AM
Technically, yes, sortof.
Realistically, no, not really.

The Cog
June 19th, 2008, 09:15 AM
It's not an attack tool. It's a monitoring tool. It checks periodically to see if your web service is still there and working by sending a GET /.

You can use it to find the devices on the network that are running common services (like HTTP) but that's discovery, not an attack. That info might help someone who wants to do an attack, but its a mighty poor way to reap that information if attacking is your objective. Nessus or nmap would bore likely be an attackers tool of choice.