if (requests/time > some limit) then block HTTP-requests from that use

Forum Moderators: bakedjake

Message Too Old, No Replies

how to?

RonPK

7:04 pm on Nov 25, 2003 (gmt 0)

One of my sites is being bothered by some kid who's been sending thousands of requests within 30 minutes. My server is kind enough to send the requested page, which requiers lots of bandwidth and also makes the load average go up. I guess I could block the specific IP number in .htaccess or even in ipchains, but it would be much nicer to automatically block anyone who requests lots of pages in a short time.

Can anybody point me in the right direction?

richmondsteve

4:26 pm on Nov 27, 2003 (gmt 0)

Log IPs and Unix timestamps for each page access to a DB table or text log file. Create a script which analyzes records from the last X minutes, sums the page views by IP, creates an IPCHAINS rule for any IP that exceeds a threshold value, logs the IP to a block history log file with a Unix timestamp and clears out the main log file. Call it from cron every X minutes.

Having a lot of IPs blocked via IPCHAINS will degrade performance eventually so I advise a second script which either drops blocked IPs after some period (12 hours, a week, whatever) or removes the oldest blocked IPs after those currently blocked reach a certain number (100, 500, etc.). Since you'll have a block history log you can create permanent IPCHAINS rules for IPs that are repeatedly blocked. You'll also probably want to have a whitelist of IPs from search engines and other trusted IPs/subnets depending on your thresholds.

Logging can be done in your favorite language (PHP, Perl, C, Python, etc.) and the scripts can be in something as simple as Bourne/Bash.

RonPK

2:57 pm on Nov 28, 2003 (gmt 0)

Thanks, Steve, that seems to be an efficient method.