Zaphod Beeblebrox, keep in mind that the user agent can be spoofed in order to make it look like a legitimate browser instead of a pesky bot.

As I'm not too familiar with IIS, but somewhat familiar with Apache, look around to find a way to block by the subnet address, maybe blocking all of <ip removed>.* with a 403 status code (forbidden). Good luck, also, check out [webmasterworld.com...]
for IIS hints on blocking by address range.

[edited by: physics at 8:08 pm (utc) on Jan. 14, 2008]

Hi Jake,

the <ip removed> IP-number is my server, the other ones (<ips removed>) are from the Russians. And there are literally thousands of them, so blocking them is not an option.

Apart from that I would have to block them at an earlier stage, since blocking them in IIS would still drive their traffic to my site.

I just hope that by tomorrow they will have gotten weary and just stop...

[edited by: physics at 8:08 pm (utc) on Jan. 14, 2008]

Wow, the president of the galaxy in our forum!

You may want to contact your host about this... they may be able to filter the traffic at a higher level.

Yes, the worst dressed sentient being in the known universe... ;-)

I triend contacting my ISP, but since the requests come from thousands of different IP's they cannot block it.

If you make a living out of your site, you might consider seeking help from one of the few specialized companies in DDoS protection. They may be costly, though, so it's a ratio of cost vs benefice of course. But in an emergency they can re-route your traffic in an hour or so without moving your servers, or if those attacks are regular they can host you.

I don't know the policy about naming vendors on this boards, being new around here, but if you PM me I'll give you a good name. Or if I'm allowed too, I'll post it here.

Thanks, Jerome, but paying a lot of money simply isn't an option. I do host some 15 small sites on that server, but most of these are my own little projects and the rest are not nearly enough to make anything remotely resembling even a whiff of a living.

Thing is that it's also my test/demo server for ongoing development projects, and that's where my main pain lies, at the moment - apart from the fact that I'm paying for the darned thing without being able to use it at the moment.

I can understand why they'd want to attack sites of banks or other high-profile websites, but it's completely beyond me why they'd go for a server with marginal websites that serves maybe 100 pages a day...

Is your server dedicated or shared? They might be attacking someone else on the server if it's shared? Or it may be a test... someone looking to rent a botnet picked up a random domain to test it out before actually paying for it...

See post one - dedicated... ;-)

And it's only targeting one specific domain hosted on it, with some fallback to my main site which can also be reached by just using the IP-number as URL.

Just tested briefly turning on IIS again - 6000 pagerequests in 4 seconds...

The only reliable way to stop this is firewalling them. Letting your IIS server send a 403 response may already give a too high load on the server.

Don't know about your host, but my host has an option to rent a personal hardware firewall between my dedicated server and the internet. That might be an option, although it could mean some downtime and new IP addresses for your server.

If the requests are mainly for one site, and they are hostname based, you could change the DNS settings for that one site to a non existent number (or to one of the attacking IPs causing the attack to backfire on them ;)) (this takes some time because their DNS cache has to timeout). Also shutting down that one domainname on your server might be an option. The traffic will still come in, but IIS will hopefully not need much resources to process them.

Hi Lammert, a firewall wouldn't work because there's no waty of determining which requests are legitimate and whic aren't.

I could change the DNS settings, but that would be a temporary solution with the same level of effectiveness as shutting IIS down completely.

The other site being hit is my own main site, and without those two there's not much worth mentioning going on on that server.

Shutting down the site being hit worst was one of the first things I tried, with no discernable effect whatsoever, unfortunately...

Changing IP-addresses also wouldn't work since they're directly requesting '/index.php', which indicates they're not approaching the server based solely on IP-number, but rather through a URL...

Bugger!

Even though there are many IPs you should try to track down if all of the ips belong to a specific company. Then contact them and complain and include some relevant log files.

Regarding why is this happening ... maybe someone typed the wrong .com into their ddos script!? Or maybe you're beating them in the serps?

In any case you may be able to block all traffic from that country for a while until this situation dies down. You may want to start shopping for a host who will help you with this.

A firewall can help if you know that the attackers are mainly from one geographical region. You can block a handful of A-blocks in the firewall (AAA.0.0.0 to AAA.255.255.255) which is crude and will block access for a group of legitimate users, but the server will be available for others.

Linux installations have the iptables kernel firewall on board, which can be easily programmed via the command line to ignore single or a group of IPs. Works flawlessly on my dedicated server because incomming requests are dropped in the earliest possible stage. There is practically no load on the server, only bandwidth saturation may occur.

Windows servers have about the same facility to block ranges of IPs. It is called "IP security policy management". If you're interested, I can send you a sticky with an URL where you can find how to configure it. I think it is not allowed to post the URL here.

Why does this site have the 'Preview' button on the left? Now I have to retype the whole thing!

@physics - we're talking about tens of thousands of IP's...that's a lot of companies!

@lammert: dankjewel. I won't be able to block them on the first digit alone, since 91.138.* is Ukraine, where traffic comes from, but 91.1.* is Germany, which I don't want to block.

Guess I'll have to check the IP2Country database...

Well, it stopped as suddenly as it started...phew, am I relieved!