Gb of Bandwidth for 403s

Forum Moderators: open

Message Too Old, No Replies

Gb of Bandwidth for 403s

Bandwidth over the limit once a day

not2easy

9:12 pm on Nov 21, 2014 (gmt 0)

One of my old domains is pretty much dormant, I haven't done anything but clean out bots there and keep files up to date for nearly 3 years. If I get 20 humans a month I am surprised. I got a note from my account that it was over the bandwidth limit of 3Gb for the month so I bumped it up by a Gb and it has used that up. So I went to take a look. One IP for a Romanian Telecom is hitting repeatedly though it only gets 403s.
43,720 hits for "POST /wp-login.php HTTP/1.1" 403 from 89.38.251.13 in 12 hours. No UA or referer.

89.38.248.0 - 89.38.255.255
SC-CLAX-TELECOM-SRL

I have given them an even teenier version of the 403 because I have no way to make them stop. This is a domain in my reseller account so I can bump up the bandwidth, no problem, but is this insane or what?

wilderness

2:37 pm on Nov 22, 2014 (gmt 0)

On Sept 8th, and on a site I'm administering.
There were 30,000 PHP requests (POST in succession).

They all ate 403's because the UA was blank, however 30k in requests is still extreme.

188.132.229.zz.

This is a very small website on shared hosting with no bandwidth restrictions.
I contacted the host and they were not concerned at all.

Much of crap (PHP requests) that we are seeing is as webmasters (and never used to see) is a result of the many vulnerabilities in 3d party scripts used by Blogs and WP pages. Most webmasters for Blogs simply don't have a clue!

lucy24

7:59 pm on Nov 22, 2014 (gmt 0)

No matter what you do, every request will consume bandwidth. This remains true even if you return an empty "" 403 page. The only alternative is to set up a firewall so requests don't even reach the server. I don't think most shared hosts do this.

Then again, I didn't realize some hosts still charge for bandwidth :( I thought they'd all gone over to charging for RAM. (Charging for both seems like overkill.) A static 403 page consumes as close to 0 RAM as you can get-- especially compared to the massive server load of any CMS-generated content.

aristotle

8:15 pm on Nov 22, 2014 (gmt 0)

On my sites a 403 response apparently only uses 13 bytes. See this thread:
[webmasterworld.com ]

not2easy

8:38 pm on Nov 22, 2014 (gmt 0)

In my case I'm not being charged for bandwidth exactly, it is that I have only allocated x amount of bandwidth for each domain based on history, logs and expectations, so an extra GB triggers a note and I have to go in and bump it up. I have plenty to dole out. Swapping out the 403 stopped it cold. The hits were shown in the logs as frequently as 4 per second.

What had half alerted me just before I got the "bump" notice email was something I saw in GWT, complaining about slow crawling for some URLs. Yes, I bet it was. If this happened on an active domain I would have looked into it better at the first sign.

Kendo

9:54 pm on Nov 22, 2014 (gmt 0)

Check your logs. Recently in ours I saw a lot of hits to /administrator/index.php... 5 times the usual overall hits and all from the same IP.

aristotle

10:38 pm on Nov 22, 2014 (gmt 0)

Check your logs

That's really funny. Telling the regulars in this forum to check their logs. LOL

lucy24

11:37 pm on Nov 22, 2014 (gmt 0)

On my sites a 403 response apparently only uses 13 bytes.

I looked this up recently in Apache docs [httpd.apache.org] (link to 2.2, but 2.4 is basically the same). The number shown in logs is supposed to be the size of the returned content exclusive of the header itself:

Size of response in bytes, excluding HTTP headers.

Logs also don't have any way of showing the incoming bandwidth from the initial request arriving at the server.

LogFormat --like LogLevel for error logs-- cannot be changed in htaccess.

aristotle

12:05 am on Nov 23, 2014 (gmt 0)

Well Lucy, I've always thought that it must really be more than 13 bytes if you count everything that happens. That's why I started the other thread. But for whatever reason, the logs show 13 bytes.

phranque

3:32 pm on Nov 24, 2014 (gmt 0)

perhaps 13 bytes equals "403 forbidden"