Deny all "direct" traffic

Question

My server is under heavy attack (maybe DDOS, I've no idea). I've checked the access logs (to put things into perspective, it's site with a daily 1000 visitors, nothing fancy):

78.176.175.208 - - [14/Dec/2010:17:11:37 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.182.202.215 - - [14/Dec/2010:17:11:37 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.176.175.208 - - [14/Dec/2010:17:11:37 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
88.252.162.244 - - [14/Dec/2010:17:11:37 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.176.175.208 - - [14/Dec/2010:17:11:37 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
88.252.162.244 - - [14/Dec/2010:17:11:37 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.176.175.208 - - [14/Dec/2010:17:11:37 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.182.202.215 - - [14/Dec/2010:17:11:37 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
88.252.162.244 - - [14/Dec/2010:17:11:37 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
88.252.162.244 - - [14/Dec/2010:17:11:38 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.182.202.215 - - [14/Dec/2010:17:11:38 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.176.175.208 - - [14/Dec/2010:17:11:38 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
88.252.162.244 - - [14/Dec/2010:17:11:38 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.182.202.215 - - [14/Dec/2010:17:11:38 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.176.175.208 - - [14/Dec/2010:17:11:38 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
88.252.162.244 - - [14/Dec/2010:17:11:38 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.182.202.215 - - [14/Dec/2010:17:11:38 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.176.175.208 - - [14/Dec/2010:17:11:38 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
88.252.162.244 - - [14/Dec/2010:17:11:38 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.182.202.215 - - [14/Dec/2010:17:11:38 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.176.175.208 - - [14/Dec/2010:17:11:39 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
88.252.162.244 - - [14/Dec/2010:17:11:39 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.182.202.215 - - [14/Dec/2010:17:11:39 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.176.175.208 - - [14/Dec/2010:17:11:39 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
88.252.162.244 - - [14/Dec/2010:17:11:39 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.182.202.215 - - [14/Dec/2010:17:11:39 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.176.175.208 - - [14/Dec/2010:17:11:39 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
88.252.162.244 - - [14/Dec/2010:17:11:39 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.182.202.215 - - [14/Dec/2010:17:11:39 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.176.175.208 - - [14/Dec/2010:17:11:39 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.182.202.215 - - [14/Dec/2010:17:11:39 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.176.175.208 - - [14/Dec/2010:17:11:40 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
88.252.162.244 - - [14/Dec/2010:17:11:40 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.182.202.215 - - [14/Dec/2010:17:11:40 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.176.175.208 - - [14/Dec/2010:17:11:40 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
88.252.162.244 - - [14/Dec/2010:17:11:40 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.182.202.215 - - [14/Dec/2010:17:11:40 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
88.252.162.244 - - [14/Dec/2010:17:11:40 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.182.202.215 - - [14/Dec/2010:17:11:40 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.176.175.208 - - [14/Dec/2010:17:11:40 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.176.175.208 - - [14/Dec/2010:17:11:40 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
88.252.162.244 - - [14/Dec/2010:17:11:40 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.182.202.215 - - [14/Dec/2010:17:11:40 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.176.175.208 - - [14/Dec/2010:17:11:41 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.182.202.215 - - [14/Dec/2010:17:11:41 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
88.252.162.244 - - [14/Dec/2010:17:11:41 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.176.175.208 - - [14/Dec/2010:17:11:41 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
88.252.162.244 - - [14/Dec/2010:17:11:41 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.182.202.215 - - [14/Dec/2010:17:11:41 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.176.175.208 - - [14/Dec/2010:17:11:41 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.182.202.215 - - [14/Dec/2010:17:11:41 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.176.175.208 - - [14/Dec/2010:17:11:41 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
88.252.162.244 - - [14/Dec/2010:17:11:41 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
78.182.202.215 - - [14/Dec/2010:17:11:41 -0800] "GET /XXX.com/ HTTP/1.1" 200 1241 "" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"

I'm thinking of denying all direct traffic via htaccess (it's only %3 percent of my traffic) for a little while.

My question is how can I deny all direct traffic via .htaccess and does it help at all?

Thanks

You should rather use a firewall to blacklist these IP addresses. It won't help if you just block them using .htaccess, since the requests still reach the web server. — watain, Dec 15 '10 at 16:40
Just to be clear, by "direct traffic", do you mean requests with a missing or blank Referrer URL? — Steven Monday, Dec 15 '10 at 17:45

score 1 · Answer 1 · answered Dec 15 '10 at 16:39

Yes, you can use the deny directive to deny specific IPs. As a better option, you can add firewall rules to prevent these IPs from access your web server. You have to be sure about what you are doing. Otherwise, you may end up preventing legitimate users from accessing your website.

score 1 · Accepted Answer · answered Dec 15 '10 at 18:15

I won't say anything about whether denying direct (no Referer) requests from .htaccess is worth doing, because it may or may not be, depending on your particular circumstances.

Regardless, here is how one could do it. Put the following into your .htaccess:

SetEnvIf Referer "^$" NO_REFERER
Order allow,deny
Allow from all
Deny from env=NO_REFERER

This should allow all HTTP requests, except those that send a blank (or no) Referer header.

Deny all "direct" traffic

2 Answers2