Introduction About Site Map

XML
RSS 2 Feed RSS 2 Feed
Navigation

Main Page | Blog Index

Thursday, October 13th, 2005, 3:19 am

Under Zombie Attack

Devil

UNDER the quiet exterior of schestowitz.com, which continues to serve pages reasonably fast, there are actually many problems. For the past two weeks, zombie attacks have been launched against the site. As more Windows machines get infected around the world, the number of attacks surges, approaching tens of thousands per day at the moment. This is much beyond the scale that I am used to or can afford. This gives us yet another reason to hate that unsecure, ‘hijackable’ O/S that is permitted to attack reliable and resilient Linux servers.

I have tried a variety of method to combat the scary scale of these attacks, which get worse by the hour. If anybody knows some good solutions, please send me your advice as soon as possible, before the server collapses. Here are a few valid tools apart from the ad-hoc methods I have been using thus far:

The only glaring issue with the above are that they require ownership or power over the Web server. I have contacted my hosts last night as we might have to collaborate on this. It is not only my sites that get penalised, but also other eCommerce sites that depend on QoS for their income.

UPDATE (5:30AM): Can Apache be configured to block requests based on referring URL (with regex)? I could exclude .to fairly cleanly. Please reply by E-mail if you can assist.

UPDATE (10:50AM): I have been told about modsecurity.org, but I still need root access to my host’s machines.

UPDATE (11:30AM): I have also been told about Patch-o-Matic netfilter/iptables.

UPDATE (11:40AM): The following Apache rule might work, but it is yet untested:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .to/
RewriteRule .* - [F]

More details in a separate post to be published shortly.

2 Responses to “Under Zombie Attack”

  1. IO ERROR Says:

    Bad Behaviour was designed specifically to address automated attacks such as those you seem to be receiving here.

    Its run time is negliglble, even with logging to a database.

    And it runs on much larger sites than this, with much larger traffic levels, repelling much larger zombie attacks. :)

    (By the way, you’ve got nofollow tags all over the place.)

  2. Roy Schestowitz Says:

    IO ERROR: Thanks for the advice. Regarding nofollowed links, these were added in three fixed places in the blog as duplicate content (e.g. feeds, PDF, and HTML versions) was getting indexed.

    If you dislike the backlink mumbo jumbo, you may wish to have a look at Iuron.com, which is a new project of mine (see sidebar link)

Back to top

Retrieval statistics: 21 queries taking a total of 0.167 seconds • Please report low bandwidth using the feedback form
Original styles created by Ian Main (all acknowledgements) • PHP scripts and styles later modified by Roy Schestowitz • Help yourself to a GPL'd copy
|— Proudly powered by W o r d P r e s s — based on a heavily-hacked version 1.2.1 (Mingus) installation —|