Welcome to WebmasterWorld Guest from 54.158.51.150

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

Block POSTs on domain root without affecting subdirectories

     
11:09 am on Sep 26, 2013 (gmt 0)



Hello,

I'm being DDoS'ed for over 32 hours now. Since I'm kind of tired of waiting, I'm trying to block the requests.

The DDoS looks like this:

xx.141.23.246 - - [25/Sep/2013:11:09:37 +0200] "POST / HTTP/1.1" 200 13977 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 432 14344
xx.150.106.0 - - [25/Sep/2013:11:09:37 +0200] "POST / HTTP/1.1" 200 13977 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 427 14286
xxx.10.152.246 - - [25/Sep/2013:11:09:37 +0200] "POST / HTTP/1.1" 200 13977 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 505 14344
xx.202.157.199 - - [25/Sep/2013:11:09:37 +0200] "POST / HTTP/1.1" 200 13977 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 352 14344
xx.48.228.178 - - [25/Sep/2013:11:09:38 +0200] "POST / HTTP/1.1" 200 13977 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 406 14344
xxx.134.215.206 - - [25/Sep/2013:11:09:38 +0200] "POST / HTTP/1.1" 200 13977 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 418 14344


So what I basically want to do is block POSTs on the "/" (root of my domain). The thing is, if I use .htaccess to do this, my subdomains also are prevented of using POST. My forum is live (despite of the attack) but that is of no use without POST.

Is there a way to only disable POST for the "/" location that is being attacked? Other options that might help are most welcome too.

Thanks!

Tom
12:07 pm on Sep 26, 2013 (gmt 0)

WebmasterWorld Administrator 5+ Year Member Top Contributors Of The Month



The thing is, if I use .htaccess to do this, my subdomains also are prevented of using POST.


You need to have a RewriteCond that limits the rule to your desired host. Therefore you need to inspect the host and the request, and then returns forbidden/not found/whatever based on the host being main domain and on the request type=POST.

Something like:

RewriteCond %{HTTP_HOST} ^www.example.com [NC]
RewriteCond %{THE_REQUEST} ^POST\ /
(desired server response here - forbidden, 404 etc)
1:27 pm on Sep 26, 2013 (gmt 0)



I've put a LIMIT in place to prevent the "/" that is being attacked from executing POSTS, and another LIMIT to prevent the subdirectories from being affected.

I'm trying to solve this problem on a firewall (iptables) level since that's more effective, but so far no luck.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month