How to stop attach on site?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Pedja
    Senior Member
    • Mar 2004
    • 329

    How to stop attach on site?

    I noticed strange behaviour on site that I think is some type of attach.

    In last few days, traffic on this site jumped 100 times and naturally it spends all assigned bandwidth and gets suspended.

    I analyzed http log to try to identify problem and I noticed lots of requests targeting index page on site but using POST method.

    That is surely not regular access as site never expects POST on index page. More that that, such request are very frequent and identical except they come very frequently from very spread IP addresses.

    Blocking by country would probably do better but Dathorn servers do not offer such option.

    Any hints how can I block such attacks. I can use IP block but that would use really large IP list so I would like to avoid that approach. Also I would like to stop it on web server level, before index page is hit, of possible.

    Any ideas are welcome.
    Last edited by Pedja; 12-22-2013, 03:11 AM.
  • djn
    Senior Member
    • Mar 2004
    • 140

    #2
    Totally untested, and off the top of my mind: adding this to your .htaccess should block any HTTP method except GET (and, probably, HEAD)

    Code:
    <LimitExcept GET>
        Order allow,deny
        Deny from all
        Satisfy all
    </LimitExcept>

    Comment

    • Pedja
      Senior Member
      • Mar 2004
      • 329

      #3
      Thanks for a hint. It might lead to the solution. I cannot deny all POST request as they areused elsewhere on site.

      For now, good candidates for filtering are POST to root of the site and POST without referal.

      Comment

      • Pedja
        Senior Member
        • Mar 2004
        • 329

        #4
        I tried this in .htaccess:

        Code:
        SetEnvIf Remote_Addr ^99.99.99.99$ banned
        
        <Files index.php>
        Order Deny,Allow
        Deny from banned
        <Files>
        My intention was to create list of banned IP-s by external script and add them to .hraccess, but this primer above does not work.

        However this works, but it denies all access to index.php.


        Code:
        SetEnvIf Remote_Addr ^99.99.99.99$ banned
        
        <Files index.php>
        Order Deny,Allow
        Deny from all
        <Files>
        It seems that syntax using SetEnvIf Remote_Addr ^99.99.99.99$ banned is not supported on Dathorn servers.

        Comment

        • Pedja
          Senior Member
          • Mar 2004
          • 329

          #5
          djn, your suggestion did not work. I tried also

          Code:
          <Limit GET HEAD>
            Order Allow,Deny
            Allow from all
          </Limit>
          
          <LimitExcept GET HEAD>
            Order Allow,Deny
            Deny from all
          </LimitExcept>
          Did not work too... It denies GET method but it should not.

          Comment

          • djn
            Senior Member
            • Mar 2004
            • 140

            #6
            You're right, Litespeed doesn't seem up to date with this Limit thing:
            I been working with a customer with an issue that I realized that is a problem related of litespeed since when I tried with apache works perfectly fine (even on the same server). My customer is trying to allow GET and password protect all the other calls. So, what he did was password protect...


            Next thing I can think of is good old mod_rewrite:
            Code:
            RewriteEngine On
            RewriteCond %{REQUEST_METHOD} !^(GET|HEAD)
            RewriteRule .* - [F]

            Comment

            • Pedja
              Senior Member
              • Mar 2004
              • 329

              #7
              Andrew jumped in with

              Code:
              RewriteEngine On
              RewriteCond %{REQUEST_METHOD} POST
              RewriteRule ^$ - [F]

              Comment

              Working...