I have a website running drupal which is currently under a continuous
botnet attack, which is causing major performance issues. I'm trying to
use apache's access control mechanism to block these requests.
Two characteristics of the attack requests are that they all use
HTTP/1.0, and a large percentage of them are within one domain.
When I look at my access log, most requests are coming in from:
134.230.153.27.broad.pt.fj.dynamic.163data.com.cn
129.199.159.27.broad.pt.fj.dynamic.163data.com.cn
...etc.
i tried blocking access using Apache's Deny From as follows:
<Directory /opt/drupal-7/>
Options +FollowSymLinks
AllowOverride All
Order Allow,Deny
Allow from all
Deny from .broad.pt.fj.dynamic.163data.com.cn
</Directory>
However this did not work - all requests are still being allowed in.
Note that the /opt/drupal-7 directory is a symlink to the actual
directory which has the full version number.
Also, since all the botnet requests are marked as HTTP/1.0, I tried to
restrict access to the user-registration pages using the protocol, as
follows:
SetEnvIf Request_Protocol "^HTTP/1\.0$" Bad_Req
<Location /utenti>
Order Allow,Deny
Deny from env=BadReq
</Location>
However this is blocking everything - HTTP/1.0 or 1.1. "/utenti" is the
prefix to the user registration page, password-reset page etc. I tried
changing around the Order, adding an "Allow from all" but in each case I
either end up blocking everyone or letting all requests through.
I'd appreciate any advice on how to implement the above or resolve this
issue in some other way.
--
Ramon Casha
Note: I have no control over the disclaimer message that will invariably
appear below.
DISCLAIMER
----------------------
The information transmitted in this message and any attachments is strictly
confidential and intended only for the individual or entity to whom it is
addressed.
Any form of unauthorised review, transmission, disclosure, publication,
reproduction, modification or other use of, or the taking of any action in
reliance upon any of the information contained in this e-mail by individuals or
entities other than the intended recipient is strictly prohibited.
If you are not the named addressee or the person responsible for delivering the
message to the named addressee and have received this communication in error,
you must not disclose the contents of this e-mail to any other person; or make
any copies thereof. If you are not the named recipient please delete/destroy
any and all copies that may exist, whether in electronic or hard copy for and
notify us immediately on the phone number indicated above and provide us with
details about the said e-mail received in error.
Since the Internet is not a secure medium Megabyte cannot guarantee the privacy
or confidentiality of any e-mail communications transmitted. All messages sent
to and from Megabyte Ltd may be monitored and/or recorded to ensure compliance
with internal policies and procedures. We disclaim all responsibility and
liability whatsoever in relation to any errors or omissions that may reveal
themselves in this message and in relation to any damage that may result from
any such errors or omissions. We disclaim all responsibility and liability for
any damage that may arise from the unauthorised acts of third parties and/or
the corruption of any data contained in this message.
Thank you.
