How to stop attach on site?

**Pedja** · 12-21-2013, 02:04 PM

I noticed strange behaviour on site that I think is some type of attach.

In last few days, traffic on this site jumped 100 times and naturally it spends all assigned bandwidth and gets suspended.

I analyzed http log to try to identify problem and I noticed lots of requests targeting index page on site but using POST method.

That is surely not regular access as site never expects POST on index page. More that that, such request are very frequent and identical except they come very frequently from very spread IP addresses.

Blocking by country would probably do better but Dathorn servers do not offer such option.

Any hints how can I block such attacks. I can use IP block but that would use really large IP list so I would like to avoid that approach. Also I would like to stop it on web server level, before index page is hit, of possible.

Any ideas are welcome.

**djn** · 12-21-2013, 07:24 PM

Totally untested, and off the top of my mind: adding this to your .htaccess should block any HTTP method except GET (and, probably, HEAD)

Code:

<LimitExcept GET>
    Order allow,deny
    Deny from all
    Satisfy all
</LimitExcept>

**Pedja** · 12-21-2013, 11:45 PM

Thanks for a hint. It might lead to the solution. I cannot deny all POST request as they areused elsewhere on site.

For now, good candidates for filtering are POST to root of the site and POST without referal.

**Pedja** · 12-22-2013, 02:04 AM

I tried this in .htaccess:

Code:

SetEnvIf Remote_Addr ^99.99.99.99$ banned

<Files index.php>
Order Deny,Allow
Deny from banned
<Files>

My intention was to create list of banned IP-s by external script and add them to .hraccess, but this primer above does not work.

However this works, but it denies all access to index.php.

Code:

SetEnvIf Remote_Addr ^99.99.99.99$ banned

<Files index.php>
Order Deny,Allow
Deny from all
<Files>

It seems that syntax using SetEnvIf Remote_Addr ^99.99.99.99$ banned is not supported on Dathorn servers.

**Pedja** · 12-22-2013, 04:14 AM

djn, your suggestion did not work. I tried also

Code:

<Limit GET HEAD>
  Order Allow,Deny
  Allow from all
</Limit>

<LimitExcept GET HEAD>
  Order Allow,Deny
  Deny from all
</LimitExcept>

Did not work too... It denies GET method but it should not.

**djn** · 12-22-2013, 04:39 PM

You're right, Litespeed doesn't seem up to date with this Limit thing:
http://www.litespeedtech.com/support...ead.php?t=3567

Next thing I can think of is good old mod_rewrite:

Code:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD)
RewriteRule .* - [F]

**Pedja** · 12-22-2013, 11:19 PM

Andrew jumped in with

Code:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteRule ^$ - [F]

Thread: How to stop attach on site?

Thread Tools

Display

How to stop attack on site?

Thread Information

Users Browsing this Thread

Posting Permissions