jdMorgan - 3:52 pm on Oct 19, 2010 (gmt 0)

Can your host provide a firewall to discard these requests?

Do all or most of the requests have anything in common -- User-agent? Page requested? HTTP-Referer headers? Missing or incorrect headers for the claimed user-agents?

Based on the above, you can often mitigate the effects of DOS attacks by refusing connections if something about the requests are identifiable or identifiably wrong. And in addition, if the requests are always for the same page or pages, you can temporarily replace those pages with smaller and/or static versions in order to reduce wasted bandwidth and server load due to script execution and database lookups.

Collect and use all of the information you can get from your raw server access and error logs. Consider adding code to the pages they hit to collect and record the additional HTTP headers sent by clients but not usually recorded in standard log files.

There are indeed lists of country-to-IP address mappings (search for "geoip" and "ip to country"). But these lists are very long because IP address ranges are assigned in often-small blocks on an as-requested basis; No attempt is made to assign and organize IP address ranges by country. Therefore, any access-control code based on IP addresses may very well be thousands of lines long, and processing that large number of directives for each request will likely only make your problem worse.

However, there's actually quite a bit you can do to reduce the effects of a DDOS attack, you just have to collect the necessary information first.

Jim