homepage Welcome to WebmasterWorld Guest from 184.72.72.182
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
Block POSTs on domain root without affecting subdirectories
TommiieeSV




msg:4612881
 11:09 am on Sep 26, 2013 (gmt 0)

Hello,

I'm being DDoS'ed for over 32 hours now. Since I'm kind of tired of waiting, I'm trying to block the requests.

The DDoS looks like this:

xx.141.23.246 - - [25/Sep/2013:11:09:37 +0200] "POST / HTTP/1.1" 200 13977 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 432 14344
xx.150.106.0 - - [25/Sep/2013:11:09:37 +0200] "POST / HTTP/1.1" 200 13977 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 427 14286
xxx.10.152.246 - - [25/Sep/2013:11:09:37 +0200] "POST / HTTP/1.1" 200 13977 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 505 14344
xx.202.157.199 - - [25/Sep/2013:11:09:37 +0200] "POST / HTTP/1.1" 200 13977 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 352 14344
xx.48.228.178 - - [25/Sep/2013:11:09:38 +0200] "POST / HTTP/1.1" 200 13977 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 406 14344
xxx.134.215.206 - - [25/Sep/2013:11:09:38 +0200] "POST / HTTP/1.1" 200 13977 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 418 14344


So what I basically want to do is block POSTs on the "/" (root of my domain). The thing is, if I use .htaccess to do this, my subdomains also are prevented of using POST. My forum is live (despite of the attack) but that is of no use without POST.

Is there a way to only disable POST for the "/" location that is being attacked? Other options that might help are most welcome too.

Thanks!

Tom

 

aakk9999




msg:4612893
 12:07 pm on Sep 26, 2013 (gmt 0)

The thing is, if I use .htaccess to do this, my subdomains also are prevented of using POST.


You need to have a RewriteCond that limits the rule to your desired host. Therefore you need to inspect the host and the request, and then returns forbidden/not found/whatever based on the host being main domain and on the request type=POST.

Something like:

RewriteCond %{HTTP_HOST} ^www.example.com [NC]
RewriteCond %{THE_REQUEST} ^POST\ /
(desired server response here - forbidden, 404 etc)

TommiieeSV




msg:4612921
 1:27 pm on Sep 26, 2013 (gmt 0)

I've put a LIMIT in place to prevent the "/" that is being attacked from executing POSTS, and another LIMIT to prevent the subdirectories from being affected.

I'm trying to solve this problem on a firewall (iptables) level since that's more effective, but so far no luck.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved