Forum Moderators: phranque
I tried using deny from the IP in .htaccess, but when the list grew rapidly to 60 plus I had to give up, and put up with the log spam.
However I noticed that one culprit uses the same home IP on each visit, and when that is found to be blocked quickly switches to a new IP. Like this.. (I've randomized the IPs to comply with WebmasterWorld policy.)
The 123.456.7.89 IP is the constant 'home' IP.
123.456.7.89 - - [11/Jul/2006:06:10:13 -0400] "GET /page.htm HTTP/1.1" 403 310 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
12.129.129.121 - - [11/Jul/2006:06:10:14 -0400] "GET /page.htm HTTP/1.1" 200 4450 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
Note the one second difference, showing it to be automatic.
Contacting their Far Eastern ISP would be a waste of time.
Instead of just adding the 12.129.129.121 to the deny from list is there a better way to block this home IP, perhaps using REMOTE_ADDR?
[edited by: Angonasec at 5:58 am (utc) on July 13, 2006]
And this is why they're 'beloved' -- There's no good easy way to prevent this.
Checking REMOTE_ADDR will just give you the IP addresses you see in the request log -- HTTP is a stateless protocol, menaing that each request exists on its own, and the server has no knowledge of any relationship between a previous, current, or subsequent request.
Checking HTTP_FORWARDED, HTTP_VIA, CLIENT_IP, HTTP_FROM, HTTP_PROXY_CONNECTION, HTTP_X_FORWARDED_FOR, HTTP_X_FORWARDED, HTTP_FORWARDED_FOR, HTTP_X_COMING_FROM, and HTTP_COMING_FROM may provide some more information, but most anonymous proxies won't send any of those headers -- That's why they're called 'anonymous'. HTTP_VIA and HTTP_X_FORWARDED_FOR seem to be the most likely to be non-empty.
You could look into requiring time-stamped cookies or session cookies to allow access to any but your main entry pages (where the cookie would be set if the initial requesting IP address was determined to be 'OK'), but then, cookies can be easily spoofed unless you're clever about how you encode them.
I can't tell what, if anything, these IP addresses have in common, but maybe you can simply block larger ranges of addresses, such as "Deny from 12.129.129" which would block 12.129.129.0-255. (Note that WebmasterWorld's IP policy is that we don't allow an IP address that identifies an individual or a specific web site; However, you can post an IP that identifies an ISP or a corporation (as long as it's not your own). We do not want to play a part in creating a denial-of-service attack, and we do not allow 'advertising' of personal web sites in any form - including by IP address, so those are the driving forces behind the policy.)
I use that simple range-blocking approach to control abuse because I have literally nothing to offer to China or most of the APNIC region - my sites are simply of no use to them. But if that's not an option for you, I don't know what to suggest.
Jim
I've begun doing as you suggested, blocking the whole IP block range of the ISP who are currently allowing this abuse.
Sadly, that means I also block a couple of million innocent people from accessing our site, just because of one or two idiots. (Draining bw and messing up log files.)
It's a major national ISP, (not China) but clearly, from all the previously ignored abuse reports, they would ignore mine too.
