Results 1 to 7 of 7

Thread: How to stop attach on site?

  1. #1
    Senior Member
    Join Date
    Mar 2004
    Posts
    329

    Question How to stop attack on site?

    I noticed strange behaviour on site that I think is some type of attach.

    In last few days, traffic on this site jumped 100 times and naturally it spends all assigned bandwidth and gets suspended.

    I analyzed http log to try to identify problem and I noticed lots of requests targeting index page on site but using POST method.

    That is surely not regular access as site never expects POST on index page. More that that, such request are very frequent and identical except they come very frequently from very spread IP addresses.

    Blocking by country would probably do better but Dathorn servers do not offer such option.

    Any hints how can I block such attacks. I can use IP block but that would use really large IP list so I would like to avoid that approach. Also I would like to stop it on web server level, before index page is hit, of possible.

    Any ideas are welcome.
    Last edited by Pedja; 12-22-2013 at 03:11 AM.

  2. #2
    Senior Member
    Join Date
    Mar 2004
    Posts
    140

    Default

    Totally untested, and off the top of my mind: adding this to your .htaccess should block any HTTP method except GET (and, probably, HEAD)

    Code:
    <LimitExcept GET>
        Order allow,deny
        Deny from all
        Satisfy all
    </LimitExcept>

  3. #3
    Senior Member
    Join Date
    Mar 2004
    Posts
    329

    Default

    Thanks for a hint. It might lead to the solution. I cannot deny all POST request as they areused elsewhere on site.

    For now, good candidates for filtering are POST to root of the site and POST without referal.

  4. #4
    Senior Member
    Join Date
    Mar 2004
    Posts
    329

    Default

    I tried this in .htaccess:

    Code:
    SetEnvIf Remote_Addr ^99.99.99.99$ banned
    
    <Files index.php>
    Order Deny,Allow
    Deny from banned
    <Files>
    My intention was to create list of banned IP-s by external script and add them to .hraccess, but this primer above does not work.

    However this works, but it denies all access to index.php.


    Code:
    SetEnvIf Remote_Addr ^99.99.99.99$ banned
    
    <Files index.php>
    Order Deny,Allow
    Deny from all
    <Files>
    It seems that syntax using SetEnvIf Remote_Addr ^99.99.99.99$ banned is not supported on Dathorn servers.

  5. #5
    Senior Member
    Join Date
    Mar 2004
    Posts
    329

    Question

    djn, your suggestion did not work. I tried also

    Code:
    <Limit GET HEAD>
      Order Allow,Deny
      Allow from all
    </Limit>
    
    <LimitExcept GET HEAD>
      Order Allow,Deny
      Deny from all
    </LimitExcept>
    Did not work too... It denies GET method but it should not.

  6. #6
    Senior Member
    Join Date
    Mar 2004
    Posts
    140

    Default

    You're right, Litespeed doesn't seem up to date with this Limit thing:
    http://www.litespeedtech.com/support...ead.php?t=3567

    Next thing I can think of is good old mod_rewrite:
    Code:
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} !^(GET|HEAD)
    RewriteRule .* - [F]

  7. #7
    Senior Member
    Join Date
    Mar 2004
    Posts
    329

    Default

    Andrew jumped in with

    Code:
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteRule ^$ - [F]

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •