I have a website running drupal which is currently under a
continuous
botnet attack, which is causing major performance issues. I'm
trying to
use apache's access control mechanism to block these requests.
Two characteristics of the attack requests are that they all
use
HTTP/1.0, and a large percentage of them are within one
domain.
When I look at my access log, most requests are coming in
from:
134.230.153.27.broad.pt.fj.dynamic.163data.com.cn
129.199.159.27.broad.pt.fj.dynamic.163data.com.cn
...etc.
i tried blocking access using Apache's Deny From as follows:
<Directory /opt/drupal-7/>
Options +FollowSymLinks
AllowOverride All
Order Allow,Deny
Allow from all
Deny from .broad.pt.fj.dynamic.163data.com.cn
</Directory>
However this did not work - all requests are still being
allowed in.
Note that the /opt/drupal-7 directory is a symlink to the
actual
directory which has the full version number.
Also, since all the botnet requests are marked as HTTP/1.0, I
tried to
restrict access to the user-registration pages using the
protocol, as
follows:
SetEnvIf Request_Protocol "^HTTP/1\.0$" Bad_Req
<Location /utenti>
Order Allow,Deny
Deny from env=BadReq
</Location>
However this is blocking everything - HTTP/1.0 or 1.1.
"/utenti" is the
prefix to the user registration page, password-reset page etc.
I tried
changing around the Order, adding an "Allow from all" but in
each case I
either end up blocking everyone or letting all requests
through.
I'd appreciate any advice on how to implement the above or
resolve this
issue in some other way.
--
Ramon Casha
Note: I have no control over the disclaimer message that will
invariably
appear below.
DISCLAIMER
The information transmitted in this message and any
attachments is strictly confidential and intended only for
the individual or entity to whom it is addressed.
Any form of unauthorised review, transmission, disclosure,
publication, reproduction, modification or other use of, or
the taking of any action in reliance upon any of the
information contained in this e-mail by individuals or
entities other than the intended recipient is strictly
prohibited.
If you are not the named addressee or the person responsible
for delivering the message to the named addressee and have
received this communication in error, you must not disclose
the contents of this e-mail to any other person; or make any
copies thereof. If you are not the named recipient please
delete/destroy any and all copies that may exist, whether in
electronic or hard copy for and notify us immediately on the
phone number indicated above and provide us with details
about the said e-mail received in error.
Since the Internet is not a secure medium Megabyte cannot
guarantee the privacy or confidentiality of any e-mail
communications transmitted. All messages sent to and from
Megabyte Ltd may be monitored and/or recorded to ensure
compliance with internal policies and procedures. We
disclaim all responsibility and liability whatsoever in
relation to any errors or omissions that may reveal
themselves in this message and in relation to any damage
that may result from any such errors or omissions. We
disclaim all responsibility and liability for any damage
that may arise from the unauthorised acts of third parties
and/or the corruption of any data contained in this message.
Thank you.
