__/ [John Bokma] on Thursday 13 October 2005 07:13 \__
> Roy Schestowitz <newsgroups@xxxxxxxxxxxxxxx> wrote:
>
>> My site has come under heavy attacks by infected machines world-wide
>> (no idea why they chose me). It has been getting worse for the past
>> week or so and is now reaching levels that put my hosting provider in
>> jeopardy.
>>
>> The referrer seems to be a good criterion for filtering. I see about
>> 50 referring URL's, all of them from Tonga (ending with the .to
>> suffix), apart from a single German referral and one from Cocos
>> Islands (I'm serious).
>>
>> New referring URL's continue to be added as we speak, but not too
>> quickly.
>>
>> How do I write something to have Apache {die} all requests based on
>> referring URL?
>>
>> Help please... soon if possible...
>
> RewriteEngine On
> RewriteCond %{HTTP_REFERER} \.to/
> RewriteRule .* - [F]
>
> gives everything with .to/ in the URL a Forbidden (untested)
Thanks, I'll try that. I don't know how to test this trivially, so I'll be
cautious.
> Other option, as mentioned before: block out REMOTE_ADDR based on country
> assigned blocks.
>
> Also: check the USER_AGENT, maybe you can combine things.
It's always Windows machines as mentioned here:
http://the.taoofmac.com/space/blog/2005-10-07.19%3A18
Given the prevalence of Windows machines and/or IE, I don't think you can
use that as a discriminant without a tonage of false positives.
Very grateful
Roy
--
Roy S. Schestowitz | "Avoid missing ball for higher score"
http://Schestowitz.com | SuSE Linux | PGP-Key: 74572E8E
10:55am up 48 days 23:09, 3 users, load average: 0.37, 0.53, 0.47
http://iuron.com - next generation of search paradigms
|
|