Welcome to WebmasterWorld Guest from 184.108.40.206
I was wondering if anyone else is currently experiencing this and what is it that you are doing to prevent it? I've found information for both Windows and Apache which I am forwarding to my hosting administrator for review. Any comments?
URL Rewriting with the Apache Webserver [engelschall.com]
I can speak for mod_rewrite, but not the others. mod_rewrite is a good way to block unwelcome visitors by IP address, user-agent, remote_host, etc., and can be used to support bad-bot traps to automate this process. But the problem is that it can only stop actual intrusions, not intrusion attempts. These rogue 'bots will still send requests to your server and clutter up your logs, in many cases totally oblivious to the fact that each of their requests elicits only a 403-Forbidden server response due to mod_rewrite blocking delivery of the requested resources.
If you are on a virtual-hosting setup, it may be possible for these requests to be deflected at the main server level, so that they don't appear in your logs, but the fact remains that the requests are still putting a load on the server.
In the specific case of NIMDA, most of its requests are ill-formed and are rejected with a 400-Bad Request before user-level .htaccess mod_rewrite is even invoked.
If you find that some particularly-aggressive 'bot is pounding your site into the ground from a fixed IP address, asking your hosting service to "black-hole" that IP address at the firewall is another possibility. That will make them go away completely, but you end up playing "whack-a-mole" trying to keep up with all the IP addresses they can use.
So, the message is mixed; There is no perfect answer. But one thing I've noticed is that if a bad-bot finds a hole in my defenses, then more seem to show up trying that same exploit. And if I plug that hole, then the attempts fall off over time as a result. So, despite the fact that the methods we have available to us at the "rent-a-host" level on shared servers are not perfect, they do have some effect, and are therefore still worth implementing.
The requests are minimal, but, enough to register on the screen when viewing statistics. I'll have my host check to see if they are coming from a fixed IP.