homepage Welcome to WebmasterWorld Guest from 54.237.125.89
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
People hitting my site over 7 times per second?
Need help with this problem...
joyryde




msg:1498280
 7:48 am on Jun 22, 2005 (gmt 0)

I operate an ecommerce website. Every time a fraudulent credit card or stolen credit card is used on our site, it is reported to the bank and we permanently ban the IP of the computer used to place the fake order on our site. We ban IP addresses via .htaccess which redirects them to a "banned" page.

Recently fraud has been widespread and DAILY we have to ban new people.

Now our error logs show many of these IP addresses hitting our "YOU'VE BEEN BANNED" web page, and they are taking up WAY WAY WAY too much bandwidth.

How or why would these people hit the server about 5-10 times per second, and what can we do to end this?

1 example (of about 10 cases) from just today where the kid accessed the page repeatedly for 40 minutes:

[Tue Jun 21 12:43:57 2005] [error] [client 00.000.000.000] client denied by server configuration: /home/example/public_html/files/banned.htm

...and this goes on for over 40 minutes....on top of the other 5 IP's doing the same exact thing all day long.

[edited by: rogerd at 10:26 pm (utc) on June 22, 2005]
[edit reason] No specifics, please. [/edit]

 

Vulcan315




msg:1498281
 11:00 am on Jun 22, 2005 (gmt 0)

Isn't this considered to be a DOS (denial of service) attack, where the attacker takes down a site by pinging it to death and eating up it's bandwidth? I think there are programs floating around that a person can use to do just that in an automated manner.

Can you contact their provider and get them shut down for this?

Dave

Staffa




msg:1498282
 3:13 pm on Jun 22, 2005 (gmt 0)

A few years ago I used to have the same problem then I removed the page where that particular visitor was directed to and that was it.

They get a 404 page not found, instead of running around in circles from trying to access a real page and being redirected each time.

maccas




msg:1498283
 3:38 pm on Jun 22, 2005 (gmt 0)

edited: opps Staffa already said what I wrote. That error page you have could possibly add fuel to the fire.

GeorgeK




msg:1498284
 6:23 pm on Jun 22, 2005 (gmt 0)

You could always redirect the .htaccess denial to go to www.yahoo.com, or [127.0.0.1...] (i.e. his own PC).

joyryde




msg:1498285
 4:43 am on Jun 23, 2005 (gmt 0)

Thanks guys...I guess the reason we have a "banned" page in the first place is that so many sites recommend it...I had considered re-directing them to another site, but that's not a good idea, because the page is displayed anytime someone tried to access a forbidden folder or part of the site. Just because someone tries to do that, they shouldn't be sent to yahoo...

jdMorgan




msg:1498286
 7:22 pm on Jul 5, 2005 (gmt 0)

Be careful that the IP addresses you ban are listed in ARIN, RIPE, APNIC, etc. as "Assigned Permanent" addresses. If not, then you may be banning IP addresses within a pool shared by dial-up users (for example) and you may be banning legitimate visitors.

If you really need to ban shared dial-up IPs, then it's best to limit the ban to an hour or so, rather than making it permanent. This will also help to keep your banned IP list from becoming riduculously large over time.

Jim

victor




msg:1498287
 7:41 pm on Jul 5, 2005 (gmt 0)

Consider having a dynamic ban list -- it works for me.

Rather than having any sites in a manual list for band-width abuse, a CGI routine checks if the IP address is requesting too fast.

If so, they get a banned page. Bans last from 5 minutes to 24 hours depending on how heavily they've been hitting us. Repeated bans tend to be longer.

Usually stops the most rampaging, out of control, spider in less time than it takes me to check the logs.

physics




msg:1498288
 8:35 pm on Jul 5, 2005 (gmt 0)


1 example (of about 10 cases) from just today where the kid accessed the page repeatedly for 40 minutes:

How many times total in that 40 minutes?
You might look into mod_throttle as a way to deal with too many requests from the same ip.

Also instead of a banned page you can just serve a blank page (i.e. serve a file blank.html which is totally empty) or forbid them in .htaccess Look around the forums ... there are some good .htaccess discussions involving blocking/forbiding/redirecting these sorts of folks.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved