Hi Ramon.
Why use apache for the block and not a firewall? its not apache related
but i think its a better way of doing that.
You can add those addresses to blocking rules and reduce the load on the
apache before they even reach it.
I am not sure which os you use but there are simple ways of doing that
even if you dont have dedicated hardware.
Oren
On 04/09/2014 10:32 AM, Jan Vávra wrote:
Hello,
try to use an IP address or subnet instead of
.broad.pt.fj.dynamic.163data.com.cn
Jan.
Access control advice needed
I have a website running drupal which is currently under a continuous
botnet attack, which is causing major performance issues. I'm trying to
use apache's access control mechanism to block these requests.
Two characteristics of the attack requests are that they all use
HTTP/1.0, and a large percentage of them are within one domain.
When I look at my access log, most requests are coming in from:
134.230.153.27.broad.pt.fj.dynamic.163data.com.cn
129.199.159.27.broad.pt.fj.dynamic.163data.com.cn
...etc.
i tried blocking access using Apache's Deny From as follows:
<Directory /opt/drupal-7/>
Options +FollowSymLinks
AllowOverride All
Order Allow,Deny
Allow from all
Deny from .broad.pt.fj.dynamic.163data.com.cn
</Directory>
However this did not work - all requests are still being allowed in.
Note that the /opt/drupal-7 directory is a symlink to the actual
directory which has the full version number.
Also, since all the botnet requests are marked as HTTP/1.0, I tried to
restrict access to the user-registration pages using the protocol, as
follows:
SetEnvIf Request_Protocol "^HTTP/1\.0$" Bad_Req
<Location /utenti>
Order Allow,Deny
Deny from env=BadReq
</Location>
However this is blocking everything - HTTP/1.0 or 1.1. "/utenti" is the
prefix to the user registration page, password-reset page etc. I tried
changing around the Order, adding an "Allow from all" but in each case I
either end up blocking everyone or letting all requests through.
I'd appreciate any advice on how to implement the above or resolve this
issue in some other way.
--
Ramon Casha
Note: I have no control over the disclaimer message that will invariably
appear below.
*DISCLAIMER*
/The information transmitted in this message and any attachments is
strictly confidential and intended only for the individual or entity
to whom it is addressed.
Any form of unauthorised review, transmission, disclosure,
publication, reproduction, modification or other use of, or the
taking of any action in reliance upon any of the information
contained in this e-mail by individuals or entities other than the
intended recipient is strictly prohibited.
If you are not the named addressee or the person responsible for
delivering the message to the named addressee and have received this
communication in error, you must not disclose the contents of this
e-mail to any other person; or make any copies thereof. If you are
not the named recipient please delete/destroy any and all copies that
may exist, whether in electronic or hard copy for and notify us
immediately on the phone number indicated above and provide us with
details about the said e-mail received in error.
Since the Internet is not a secure medium Megabyte cannot guarantee
the privacy or confidentiality of any e-mail communications
transmitted. All messages sent to and from Megabyte Ltd may be
monitored and/or recorded to ensure compliance with internal policies
and procedures. We disclaim all responsibility and liability
whatsoever in relation to any errors or omissions that may reveal
themselves in this message and in relation to any damage that may
result from any such errors or omissions. We disclaim all
responsibility and liability for any damage that may arise from the
unauthorised acts of third parties and/or the corruption of any data
contained in this message.
Thank you./
