Site under attack - block requests with a specific string - Apache Web Server forum at WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

Site under attack - block requests with a specific string

Lagonda

8:58 am on Jul 8, 2008 (gmt 0)

Hi,

My site's being attacked for the past days by some kind of bot that requests this, and several variations of it, being "uri" the common string:

189.72.19.61 - - [07/Jul/2008:20:18:01 +0100] "GET /discussion/140/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+'/'+uri%20+' HTTP/1.1" 200 72806 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

The /discussions/140/ is valid but the remaining is the bot inputing it. There are several IPs doing this request, one at a time.

I wonder if anyone could provide me, as I'm a htaccess illeterate, some way to block these requests, based on the "uri" string. Using it is relativily safe because in my site (forum) only one valid page uses it, and that page is of minor relevance.

As of today, this bot has already used 6 times my previous month bandwidth... :(

TIA. :)

g1smd

12:44 pm on Jul 8, 2008 (gmt 0)

If NONE of your valid URLs have %20 in them (and you really should never use a space in a URL), then I would simply block anything that requests a URL with %20 in it.

RewriteRule %20 - [F]

There may be more efficient ways of restricting this to only be checked for certain paths, like including the leading folder name, for example.

Lagonda

5:39 pm on Jul 8, 2008 (gmt 0)

Thanks for your reply, much appreciated.

Further development here: [webmasterworld.com...]