Spamming my site

Posted: Sat Sep 25, 2010 1:13 pm

Hello,

I am getting hammered by someone from several IP address' in China with:

Quote:

120.32.120.55 - - [25/Sep/2010:06:08:31 -0500] "GET [ Only registered users can see links on this board! Get registered or login! ] HTTP/1.0" 403 - "-" ""
59.56.124.158 - - [01/Sep/2010:08:30:15 -0500] "GET [ Only registered users can see links on this board! Get registered or login! ] HTTP/1.0" 404 - "-" ""

This IP address is hitting my site 4-10 times every half hour, each hit is about 1 second apart. This site is on a shared server with other sites that require worldwide access so I cannot block it at the firewall. Is there any way to block them other than with htaccess (which I have done as you can see)?

Thanks

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

You basically have: Firewall : Server : Site.

If your host is not able to block them at the server level (Web Server) then .htaccess (Site) is your only option.

Posted: Sat Sep 25, 2010 3:14 pm

That is what I figured. Thanks.

Posted: Tue Sep 28, 2010 5:05 pm

It might be worth trying to find the user-agent, if it's the same for each IP it might be an easier method to use for bocking the attacks, or even as a secondary line of defense should they start using more IP's..

Posted: Tue Sep 28, 2010 7:43 pm

The above information is the only thing that shows in the access-log.

Worker Joined: Aug 26, 2007 Posts: 236

bbantispam has effectively stopped all spam on my site for a couple of years. The secret is to put installation code for bbantispam in config.php. [ Only registered users can see links on this board! Get registered or login! ]

Posted: Wed Sep 29, 2010 12:49 pm

I am not talking about spam as in spamming a forum. I am referring to just hitting my site 500 times a day and filling my access logs with the same thing. All instances if this occurring have been from. I am adding them to htaccess but they keep switching IP's. But, don't they still show up in my logs - just with a 403 error, instead of 404?

Posted: Wed Sep 29, 2010 1:04 pm

Email your host explaining the situation and ask them to add the list of IP's to their firewall. They'll be the first ones to suspend your account for being over bandwidth usage or resource abuse, so get in there first!
If you have times/dates in your logs they might even be able to match them with the real server logs and fine some common denominator they can use to block them.
They will probably find most of the domains on that server are being targetted.

Posted: Wed Sep 29, 2010 1:15 pm

What about the protection against DOS attacks offered by NukeSentinel? I have this option enabled.

Posted: Thu Sep 30, 2010 12:48 pm

Doulos
What sort of htaccess response are you using?

slackervaara
That works for a very specific type of DoS attack. Empty user-agent I believe. May cause issue with some proxies (bad ones basically) and some scripts that import content from other sites for example. If you enable it and there are no issues it should be great. If there are issues it might worked around with an exclusion or by adding a UA to the source is possible.

Posted: Thu Sep 30, 2010 5:31 pm

Actually, that site does not use RN, but it is written in PHP.

What do you mean by "htaccess response"?

Posted: Sat Oct 02, 2010 8:02 am

I meant did you use mod rewrite or? Just thinking of what would be the most resource friendly approach ect... Always fun to see what others are doing in response to issues like this.