1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 4:28 pm May 1, 2026

Forum Moderators: phranque

Message Too Old, No Replies

Im just about Desperate!

         

vileiz

10:52 am on Jun 7, 2004 (gmt 0)

10+ Year Member



Hello, much excuses but i have been having a tedious problem that has gotten me seriously thinking of shutting down my site and getting a move on with something offline.
i have a site that runs phpbb, its been getting Ddos attacks in a very wierd way, its been going for 3 months now and the maximum time i have accomplished of being online is one week, then the attacker comes and shuts me down making my host shut me off, until i got dedicated, but that didnt help , i have tried a .htaccess provided earlier on this site ( found here [webmasterworld.com...] ) but nothing helped, i am having sql queries sql ddos attack (?) there is no bandwidth load, only cpu abuse that causes my server to overload, it happens within minutes and lasts as long as the database is pointing correctly. here is a part of the 17 Mb ( generated in 6 hours ) log file :

198.**.118.37 - - [25/May/2004:09:18:35 -0400] "GET /home/portal.php HTTP/1.0" 404 296 "-" "-"
211.**.63.101 - - [25/May/2004:09:18:35 -0400] "GET /home/portal.php HTTP/1.0" 404 296 "-" "-"
163.**.80.2 - - [25/May/2004:09:18:35 -0400] "GET /home/portal.php HTTP/1.1" 404 296 "-" "-"
211.**.135.169 - - [25/May/2004:09:18:35 -0400] "GET /home/portal.php HTTP/1.0" 404 296 "-" "-"
210.***.24.2 - - [25/May/2004:09:18:35 -0400] "GET /home/portal.php HTTP/1.0" 404 296 "-" "-"
198.**.130.37 - - [25/May/2004:09:18:35 -0400] "GET /home/portal.php HTTP/1.0" 404 296 "-" "-"
198.**.118.37 - - [25/May/2004:09:18:35 -0400] "GET /home/portal.php HTTP/1.0" 404 296 "-" "-"
66.***.84.204 - - [25/May/2004:09:18:35 -0400] "GET /home/portal.php HTTP/1.1" 404 296 "-" "-"
218.**.19.73 - - [25/May/2004:09:18:35 -0400] "GET /home/portal.php HTTP/1.1" 404 296 "-" "-"
198.**.118.36 - - [25/May/2004:09:18:35 -0400] "GET /home/portal.php HTTP/1.0" 404 296 "-" "-"
198.**.130.36 - - [25/May/2004:09:18:35 -0400] "GET /home/portal.php HTTP/1.0" 404 296 "-" "-"
61.***.81.73 - - [25/May/2004:09:18:35 -0400] "GET /home/portal.php HTTP/1.0" 404 296 "-" "-"
210.***.128.117 - - [25/May/2004:09:18:35 -0400] "GET /home/portal.php HTTP/1.1" 404 296 "-" "-"
212.***.2.205 - - [25/May/2004:09:18:35 -0400] "GET /home/portal.php HTTP/1.1" 404 296 "-" "-"
198.**.118.37 - - [25/May/2004:09:18:35 -0400] "GET /home/portal.php HTTP/1.0" 404 296 "-" "-"
210.***.96.6 - - [25/May/2004:09:18:35 -0400] "GET /home/portal.php HTTP/1.0" 404 296 "-" "-"
198.**.130.37 - - [25/May/2004:09:18:35 -0400] "GET /home/portal.php HTTP/1.0" 404 296 "-" "-"
198.**.130.37 - - [25/May/2004:09:18:35 -0400] "GET /home/portal.php HTTP/1.0" 404 296 "-" "-"
216.***.87.230 - - [25/May/2004:09:18:35 -0400] "GET /home/portal.php HTTP/1.0" 404 296 "-" "-"
198.**.130.36 - - [25/May/2004:09:18:35 -0400] "GET /home/portal.php HTTP/1.0" 404 296 "-" "-"
218.**.19.115 - - [25/May/2004:09:18:35 -0400] "GET /home/portal.php HTTP/1.0" 404 296 "-" "-"
195.***.62.140 - - [25/May/2004:09:18:36 -0400] "GET /home/portal.php HTTP/1.1" 404 296 "-" "-"
210.***.96.12 - - [25/May/2004:09:18:36 -0400] "GET /home/portal.php HTTP/1.1" 404 296 "-" "-"

i hope this can help me and anyone trying to help me for i am already giving up...
i have seen a site having proxy browsing disabled, where they would be directed to a protected directory ( knew it cuz i tried browsing thru proxys and i got the .htacces user/login box ) or any ideas that would just help is much appreciated, i mean if i can break my record of staying online more than one week that would be pretty awsome.

[edited by: jdMorgan at 2:56 pm (utc) on June 7, 2004]
[edit reason] Obscured IP addresses [/edit]

Leosghost

12:17 pm on Jun 7, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



change hosts ..now ..!

vileiz

1:27 pm on Jun 7, 2004 (gmt 0)

10+ Year Member



Oh i was kicked off the server for cpu abuse, that was the third host, now i got my dedicated server, got root , any ideas? and what should a host have to prevent having such problems?

jdMorgan

2:50 pm on Jun 7, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



vileiz,

Welcome to WebmasterWorld [webmasterworld.com]!

A few ideas:

1) Ask the host to block those IP address ranges at the firewall, so their requests don't even get to your server. It will be necessary to block more than single addresses, but some of those IP addresses only differ in the last octet.

2a) Silently redirect requests for the non-existent page to a zero-byte-length file. This will minimize the length of your server's response to each request.

2b) Silently redirect requests for the non-existent page to a script which records the IP address of the request, and any HTTP headers which indicate proxy-forwarding information. You may be able to get the original address of the abuser if any one of the proxies reveals it.

3) Figure out who is attacking you. They have a reason to do so (or believe so, anyway). Denial of service and theft of bandwidth can be construed as crimes. If the attacks have followed you from one host to another across multiple server IP addresses, then this is someone specifically targetting you.

Jim

creative craig

2:54 pm on Jun 7, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Quick question Jim, what do you mean by Silently redirect?

jdMorgan

3:03 pm on Jun 7, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



> what do you mean by Silently redirect?

A server-internal rewrite from one requested *file* to another, as opposed to an external 301/302 URL redirect which requires the cooperation of the client browser/robot.

In this case, rewrite requests for the 404'ed files to a zero-byte 'null' file. This would cause the server to return response headers only; the content-body would be empty, so the size of the server's response is minimum.

If only the single 'portal.php' file is being requested, then simply create a blank file with that name -- no rewrie would be required in that case.

Jim

vileiz

10:48 am on Jun 8, 2004 (gmt 0)

10+ Year Member



I have seen on a site something interesting, when i browsed with proxys i was directed to a page and asked for a password like the .htaccess user/pass dialogue, any ideas on how this can be done?

jdMorgan

4:09 pm on Jun 8, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



vileiz,

There is a lot to this. First, you'll need to set up a directory that is password-protected. Then, you'll need to detect and redirect 'proxied requests' to that directory. The reason I put 'proxied requests' in quotes is that there are several kinds, anonymous proxies, tranparent proxies, etc. Some are harmless, like the proxies that all AOL users' requests pass through. Others are used for provacy or even political reasons. But most can be abused. The result is that it is very difficult to block abuse without blocking some legitimate users.

I posted some proxy-related code [webmasterworld.com] awhile back that you might use as an example to get started, but you will very probably have to modify it in order to avoid occasionally blocking legitimate users.

Jim

vileiz

4:12 pm on Jun 10, 2004 (gmt 0)

10+ Year Member



Hello, few questions as i want to go through this from a different approach, i want to ban the ips that are showing as malicious from a .htaccess, i have a question though, since these ips are generating 20-30 GET requests per second, will me banning them from .htaccess still strain the server? or will this just put an end to them quering the database? since i have noticed they are straining the database then they bringing cpu usage to skyrocket . and when i change the database path to make it to a null one, i am not getting affected even when they are attacking.
question 2. is there a way i can ban them automatically from .htaccess in a way when if browser info is not supplied this would result in an automatic ban? like this is a normal user request
2xx.****.xxx.xxx - - [08/Jun/2004:19:59:31 -0700] "GET login.php HTTP/1.0" 301 309 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

and this is an attacker log:

1xx.xxx.xx.xxx - - [08/Jun/2004:21:36:51 -0700] "GET /login.php HTTP/1.0" 404 1058 "-" "-"

what i want is for the server to ban him automatically if the browser info or agent info is not supplied, i hope i am making sense.
Regards

jdMorgan

4:46 pm on Jun 10, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



> will me banning them from .htaccess still strain the server?

Well, a little bit, but not as bad as letting them query your database!

> ban him automatically if the browser info or agent info is not supplied

You could block if

  • browser info AND user agent info are not supplied
  • The request is not a HEAD request

    Otherwise, you will block many legitimate requests. 


    # BLOCK blank referrer -AND- UA except for HEAD
    RewriteCond %{REQUEST_METHOD} !^HEAD$
    RewriteCond %{HTTP_REFERER} ^$
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule .* - [F]

    Also, some bad guys use a 'fake' balnk referrer and/or UA to bypass the above code. It's not really blank, it is equal to "-". This hyphen is also the character that Apache uses to indicate a blank referrer or UA in the log files, so the referrer or UA *appears* to be blank, but it is not. In this case, you want to block if either the User-Agent OR the referrer is "-". 

    # BLOCK *Faked* blank referer -OR- UA
    RewriteCond %{HTTP_REFERER} ^-$ [OR]
    RewriteCond %{HTTP_USER_AGENT} ^-$
    RewriteRule .* - [F]

    I suggest you take a look around WebmasterWorld for some more ideas and background on this subject. There are several threads here that may be of interest. One is now four parts long, called "a close to perfect htaccess ban list". Another is a PERL script to block malicious robots. Another is a PHP script that "blocks badly behaved runaway webcrawlers" that make too many requests in a short period of time. And the newest is a PHP version of the malicious robot PERL script. A search on Google limited to WebmasterWorld will turn these up.

    Jim

    •  

    Join The Conversation

    Moderators and Top Contributors

    Hot Threads This Week

    1. Home
    2. Forums Index
    3. Server Side / Apache Web Server 4:28 pm May 1, 2026