2

For the last few days one of my websites has been receiving hundreds of requests per minute with non-existent random domains as HTTP_REFERER and from different IPs (therefore using deny from IP is not an option):

REMOTE_ADDR     | HTTP_REFERER    | HTTP_USER_AGENT
95.133.126.178  | 1dljlc2jm2.info | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QihooBot 1.0 qihoobot@qihoo.net)
188.232.31.38   | 3r28169e6v4.net | Mozilla/5.0 (compatible; ShunixBot/1.x; http://www.7vlc8pngqk7zmx.com/bot.htm)
177.184.135.114 | 3p10jjujbn.ru   | Mozilla/5.0 (compatible; Bot; +http://w4n2e2mte8.ws/spamfilter
188.235.184.231 | 06d94hx.biz     | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; iRider 2.21.1108; FDM)
42.119.240.12   | ho0gg8r7.net    | Mozilla/3.0 (WorldGate Gazelle 3.5.1 build 11; FreeBSD2.2.8-STABLE)
...

Any ideas how to fight this, please?

UPDATE (after problem was successfully solved)

My question is not a duplicate for I am under DDoS. What can I do? because I knew "what is happening" (small DDoS attack) and therefore I have asked for the exact rules to be added to .htaccess to block attackers.

BTW, here I am under DDoS. What can I do? is suggested to contact hosting provider. I did, but my hosting provider (one of the most popular ones) proposed to buy a more expensive package with more resources included. :)

Froggiz's solution was exactly what I was looking for.

Community
  • 1
Grigur
  • 123
  • 4
  • Why fight it at all? I'm not being flip, but unless it causes any problems, fighting it may not be a good use of your professional time. – MadHatter Nov 09 '15 at 12:03
  • @MadHatter Because of the huge number of requests, I run out of resources included in my hosting package. – Grigur Nov 09 '15 at 12:08
  • you can create a rule who accept request only if refer is empty or start with http – Froggiz Nov 09 '15 at 12:13
  • @Froggiz That could be a solution for my case, can you please post an aswer with the exact rule (RewriteCond, RewriteRule) to be added to .htaccess? – Grigur Nov 09 '15 at 12:20
  • @Grigur ok, i did – Froggiz Nov 09 '15 at 13:03

1 Answers1

2

this is the rules to block your attakers

# Block request if not empty or not start with http
RewriteCond %{HTTP_REFERER} "!^$|^http"
# Block request rule
RewriteRule .* - [F]

i have added some more rules to block other bots :

# Block empty user agent, and suspect user agen
RewriteCond %{HTTP_USER_AGENT} ^-?$|perl|python|\\x.*?\\x [NC,OR]
# Limit request to GET POST and HEAD
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST)$ [OR]
# Block request who doesn't start with / as it should for normal web sites
RewriteCond %{REQUEST_URI} !^/ [OR]
# Block request if not empty or not start with http
RewriteCond %{HTTP_REFERER} "!^$|^http"
# Redirect to 406 page
RewriteRule .* - [END,R=406]

i am using code 406 (Not Acceptable) as response code, but it is optional, it can be all you want like [F] as suggered by apache doc

https://httpd.apache.org/docs/2.4/en/rewrite/access.html

If you are using another rewrite rule (like short url for exemple) you need to place the rule i posted before, to be used in first

Froggiz
  • 3,013
  • 1
  • 18
  • 30
  • Depending on what resources are being consumed this may or may not help as, by the time the system is dealing with it the DDOS may have done it's job. – user9517 Nov 09 '15 at 13:15
  • nice ^_^, i hate thoose attackers, it is like internet pollution ! – Froggiz Nov 09 '15 at 13:26