T-Rex,

If they use the same IP address repeatedly, only the first attempt gets through to be logged or added to the ban list. The script could easily be modified to self-limit it's size.

Scripts like Key_Master's are popular with "small site" Webmasters, because they don't have the budget -- or permission from their hosts -- to implement "serious" security solutions. Many have severe bandwidth limits, and they're just trying to make sure it's not wasted. It's a case of "do the best you can with what you've got to work with," and for that, it's an excellent effort. If your site gets DDOS'ed, then hopefully your host will kick in the firewall and contact you. You can then prove that you're not involved by showing them that all those requests received 403 responses.

Jim

That’s a great idea, Jim “script could easily be modified to self-limit it's size”

I don’t know how to write that, but it would alleviate my security concern with having a bad bot script.

In the meantime, I did something to my .htaccess to reduce unwanted spidering from at least parts of the world. In this special case, the commerce is limited to customers who travel to the location to pick-up in person. So 99.5% of customer base is U.S. and 0.5% of customer base is Canada. I found the allocations of /8 blocks to the various assignment agencies and simply blocked the RIPE and Asia-pacific /8’s on this one site. It’s been in effect for over 24 hours now.

There is some unknown trade-off with this approach and that is: Not knowing how much of the Google algo for allocating PR is based on “direct hit” technology, the PR for this site could go down. Right now it is sitting at PR5, and been there for a couple of years.

Here is what I modified in the .htaccess:
SetEnvIf referer ^http://.*\forums\.? ban
SetEnvIf referer ^http://.*\forum\.? ban
SetEnvIf referer ^http://.*\p3p\.? ban
<Limit GET POST>
order allow,deny
allow from all
deny from env=ban
# Japan
deny from 43.0.0.0/8
# Japan and others
deny from 133.0.0.0/8
# LAC
deny from 200.0.0.0/7
# NORSK
deny from 32.0.0.0/8
# RIPE europe
deny from 62.0.0.0/8
deny from 80.0.0.0/5
deny from 88.0.0.0/8
deny from 193.0.0.0/7
deny from 195.0.0.0/8
deny from 212.0.0.0/7
deny from 217.0.0.0/8
# Asia-Pacific
deny from 58.0.0.0/6
deny from 196.192.0.0/13
deny from 202.0.0.0/7
deny from 210.0.0.0/7
deny from 218.0.0.0/6
deny from 222.0.0.0/8
deny from 169.208.0/12
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>

I seems to me that the best DNS servers are going to provide protection for the SYN floods,

DNS is primarily a UDP based service, not TCP. Some DNS servers ignore the standards and don't implement TCP at all.

then they ask for your trap.pl with a spoofed IP

Unlikely. To set up a TCP connection you need to be able to read the reply from the server to your SYN. The SYN is easy to forge, intercepting the servers reply (which will be heading for the genuine IP you're spoofing) is very difficult without access to the ISP's routers. Compromised Win95 machines on AOL won't be able to do this.

Yes, if the attackers control 10,000 they will be able to trip your spider trap and those 10,000 IPs will be added to your htaccess. Is that a great loss? You should be monitoring your logs for this sort of activity anyway. Any automatic lock-out system can be turned into a DOS, like dissabling computer accounts after x failed log-in attempts.