Welcome to WebmasterWorld Guest from 54.198.100.0

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

Block POSTs on domain root without affecting subdirectories

     
11:09 am on Sep 26, 2013 (gmt 0)

New User

joined:Sept 26, 2013
posts:2
votes: 0


Hello,

I'm being DDoS'ed for over 32 hours now. Since I'm kind of tired of waiting, I'm trying to block the requests.

The DDoS looks like this:

xx.141.23.246 - - [25/Sep/2013:11:09:37 +0200] "POST / HTTP/1.1" 200 13977 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 432 14344
xx.150.106.0 - - [25/Sep/2013:11:09:37 +0200] "POST / HTTP/1.1" 200 13977 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 427 14286
xxx.10.152.246 - - [25/Sep/2013:11:09:37 +0200] "POST / HTTP/1.1" 200 13977 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 505 14344
xx.202.157.199 - - [25/Sep/2013:11:09:37 +0200] "POST / HTTP/1.1" 200 13977 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 352 14344
xx.48.228.178 - - [25/Sep/2013:11:09:38 +0200] "POST / HTTP/1.1" 200 13977 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 406 14344
xxx.134.215.206 - - [25/Sep/2013:11:09:38 +0200] "POST / HTTP/1.1" 200 13977 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 418 14344


So what I basically want to do is block POSTs on the "/" (root of my domain). The thing is, if I use .htaccess to do this, my subdomains also are prevented of using POST. My forum is live (despite of the attack) but that is of no use without POST.

Is there a way to only disable POST for the "/" location that is being attacked? Other options that might help are most welcome too.

Thanks!

Tom
12:07 pm on Sept 26, 2013 (gmt 0)

Moderator from GB 

WebmasterWorld Administrator 5+ Year Member Top Contributors Of The Month

joined:Apr 30, 2008
posts:2599
votes: 179


The thing is, if I use .htaccess to do this, my subdomains also are prevented of using POST.


You need to have a RewriteCond that limits the rule to your desired host. Therefore you need to inspect the host and the request, and then returns forbidden/not found/whatever based on the host being main domain and on the request type=POST.

Something like:

RewriteCond %{HTTP_HOST} ^www.example.com [NC]
RewriteCond %{THE_REQUEST} ^POST\ /
(desired server response here - forbidden, 404 etc)
1:27 pm on Sept 26, 2013 (gmt 0)

New User

joined:Sept 26, 2013
posts:2
votes: 0


I've put a LIMIT in place to prevent the "/" that is being attacked from executing POSTS, and another LIMIT to prevent the subdirectories from being affected.

I'm trying to solve this problem on a firewall (iptables) level since that's more effective, but so far no luck.