Welcome to WebmasterWorld Guest from 54.147.165.246

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

Blocking IPs based on incoming URL

     

rajatgarg

6:49 am on Dec 10, 2008 (gmt 0)

10+ Year Member



Hi,

I have installed APF and Dos Denial on the system. However, I am still not able to block the attacker as he is using multiple IP addresses to send the spam bots with URLs like -

200 73621 "http://media.adrevolver.com/adrevolver/banner?place=31439&cpy=9678696" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)"

200 100 "http://media.adrevolver.com/adrevolver/banner?place=31439&cpy=9742292" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)"

"http://d3.zedo.com/jsc/d3/ff2.html?n=790;c=843/1;s=785;d=14;w=728;h=90" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/419 (KHTML, like Gecko) Safari/419.3"

Is there a way I can set up something like -

in file (used because apache + mongrel setup)->
/usr/local/apache2/conf/extra/httpd-vhosts.conf

# redirect all spam - like urls to a script
RewriteCond %{REQUEST_URI} ^/(zedo¦adrevolver¦trafficmp)(/)?$
RewriteRule ^.* /usr/local/ddos/ddos.sh -d %{REMOTE_ADDR} [PT,L]

However, the lines do not work.

I will really appreciate if you can suggest how to block all/any IP address that are sending a type of request.

Thanks in advance for your help.

Rajat

Frank_Rizzo

9:14 am on Dec 10, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Far better to use something like modsecurity.

Not only will you get comprehensive protection from common attacks but you can also add custom rules:

SecRule REQUEST_URI "media\.adrevolver\.com" "log,exec:/usr/local/ddos/ddos.sh,drop,phase:1"

You can pick up the envars in the script and thus ban, or block the ip if specific words are detected.

wilderness

10:31 am on Dec 10, 2008 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Is there a way I can set up something

block all/any IP address that are sending a type of request

#Turn on Rewrite, if NOT done previously
RewriteEngine on
# If Refer contains any of the terms, anywhere, deny access
RewriteCond %{HTTP_REFERER} (zedo¦adrevolver¦trafficmp)
RewriteRule .* - [F]

Corrections required for the forum breaking of pipe characters before use.

You may also change the second line to other options, such as the script you mentioned, however in the event that your desire is to simply deny access, the two lines will work when the refer is shown in the request.

Frank's explantion may be more inline with what you desire to accomplish, whereas, the method I've provided is SIMPLE.