Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B8C6810062 for ; Wed, 9 Apr 2014 07:45:06 +0000 (UTC) Received: (qmail 28778 invoked by uid 500); 9 Apr 2014 07:45:03 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 28494 invoked by uid 500); 9 Apr 2014 07:45:01 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 28451 invoked by uid 99); 9 Apr 2014 07:44:59 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Apr 2014 07:44:59 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,NORMAL_HTTP_TO_IP,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy includes SPF record at spf.trusted-forwarder.org) Received: from [209.85.212.180] (HELO mail-wi0-f180.google.com) (209.85.212.180) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Apr 2014 07:44:53 +0000 Received: by mail-wi0-f180.google.com with SMTP id q5so2676912wiv.13 for ; Wed, 09 Apr 2014 00:44:31 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type; bh=ic7IDW3yp5K9NAeyBCIm/HAstzYqywzugB7FCp2C0JQ=; b=j3mijZH4JPyeJeMRnoZvRSpTJTQEAlCMuSVAHnpKCov0Sb+H+K6CYnNIajhkM6nQwV 7ukIzoaRyrUlUmGnKhzOxUfMe9EQUm1p8my7aCMbW/7zJS9M7IZOZrlJIa0Ce5gFUuIi aCppWAFC7+f/aPRJH4jSikao0dU17NxPeCnc/shHZxMZmsHu8xvCL8MNlAtF7jsoeTgf D+DmsYYiVXX1nwEKQSes7rxPxoAOBCDmMLrQ4AybaqLoSGKEwqN6krPaIRha7AINm3zJ J0b+WGrlnNVeBoK1CkXbldivPHCTNh06YGdr4vITiD92sGqA97NREjxmOC8oEDlBtmg4 XaIw== X-Gm-Message-State: ALoCoQl83AbcuheZqonYKQ/R5dhHUEKoNPRJYLFtb3dPA7cIEOZh/mgpHRdcB0/NYSxhTJ86Byzo X-Received: by 10.194.174.197 with SMTP id bu5mr911910wjc.71.1397029471080; Wed, 09 Apr 2014 00:44:31 -0700 (PDT) Received: from [10.10.10.4] ([212.29.196.125]) by mx.google.com with ESMTPSA id t6sm8250272wix.4.2014.04.09.00.44.29 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 09 Apr 2014 00:44:30 -0700 (PDT) Message-ID: <5344FA4E.4040902@taykey.com> Date: Wed, 09 Apr 2014 10:44:14 +0300 From: Oren User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: users@httpd.apache.org References: <5344F776.4090609@602.cz> In-Reply-To: <5344F776.4090609@602.cz> Content-Type: multipart/alternative; boundary="------------000900040507060305030806" X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] Access control advice needed --------------000900040507060305030806 Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 8bit Hi Ramon. Why use apache for the block and not a firewall? its not apache related but i think its a better way of doing that. You can add those addresses to blocking rules and reduce the load on the apache before they even reach it. I am not sure which os you use but there are simple ways of doing that even if you dont have dedicated hardware. Oren On 04/09/2014 10:32 AM, Jan V�vra wrote: > Hello, > try to use an IP address or subnet instead of > .broad.pt.fj.dynamic.163data.com.cn > > Jan. >> Access control advice needed >> >> I have a website running drupal which is currently under a continuous >> botnet attack, which is causing major performance issues. I'm trying to >> use apache's access control mechanism to block these requests. >> >> Two characteristics of the attack requests are that they all use >> HTTP/1.0, and a large percentage of them are within one domain. >> >> When I look at my access log, most requests are coming in from: >> 134.230.153.27.broad.pt.fj.dynamic.163data.com.cn >> 129.199.159.27.broad.pt.fj.dynamic.163data.com.cn >> ...etc. >> >> i tried blocking access using Apache's Deny From as follows: >> >> >> Options +FollowSymLinks >> AllowOverride All >> Order Allow,Deny >> Allow from all >> Deny from .broad.pt.fj.dynamic.163data.com.cn >> >> >> However this did not work - all requests are still being allowed in. >> Note that the /opt/drupal-7 directory is a symlink to the actual >> directory which has the full version number. >> >> Also, since all the botnet requests are marked as HTTP/1.0, I tried to >> restrict access to the user-registration pages using the protocol, as >> follows: >> >> SetEnvIf Request_Protocol "^HTTP/1\.0$" Bad_Req >> >> Order Allow,Deny >> Deny from env=BadReq >> >> >> However this is blocking everything - HTTP/1.0 or 1.1. "/utenti" is the >> prefix to the user registration page, password-reset page etc. I tried >> changing around the Order, adding an "Allow from all" but in each case I >> either end up blocking everyone or letting all requests through. >> >> I'd appreciate any advice on how to implement the above or resolve this >> issue in some other way. >> >> -- >> Ramon Casha >> >> Note: I have no control over the disclaimer message that will invariably >> appear below. >> >> >> *DISCLAIMER* >> >> /The information transmitted in this message and any attachments is >> strictly confidential and intended only for the individual or entity >> to whom it is addressed. >> Any form of unauthorised review, transmission, disclosure, >> publication, reproduction, modification or other use of, or the >> taking of any action in reliance upon any of the information >> contained in this e-mail by individuals or entities other than the >> intended recipient is strictly prohibited. >> If you are not the named addressee or the person responsible for >> delivering the message to the named addressee and have received this >> communication in error, you must not disclose the contents of this >> e-mail to any other person; or make any copies thereof. If you are >> not the named recipient please delete/destroy any and all copies that >> may exist, whether in electronic or hard copy for and notify us >> immediately on the phone number indicated above and provide us with >> details about the said e-mail received in error. >> Since the Internet is not a secure medium Megabyte cannot guarantee >> the privacy or confidentiality of any e-mail communications >> transmitted. All messages sent to and from Megabyte Ltd may be >> monitored and/or recorded to ensure compliance with internal policies >> and procedures. We disclaim all responsibility and liability >> whatsoever in relation to any errors or omissions that may reveal >> themselves in this message and in relation to any damage that may >> result from any such errors or omissions. We disclaim all >> responsibility and liability for any damage that may arise from the >> unauthorised acts of third parties and/or the corruption of any data >> contained in this message. >> Thank you./ >> > --------------000900040507060305030806 Content-Type: text/html; charset=ISO-8859-2 Content-Transfer-Encoding: 8bit Hi Ramon.
Why use apache for the block and not a firewall? its not apache related but i think its a better way of doing that.
You can add those addresses to blocking rules and reduce the load on the apache before they even reach it.
I am not sure which os you use but there are simple ways of doing that even if you dont have dedicated hardware.

Oren

On 04/09/2014 10:32 AM, Jan V�vra wrote:
Hello,
�try to use an IP address or subnet instead of .broad.pt.fj.dynamic.163data.com.cn

Jan.
Access control advice needed

I have a website running drupal which is currently under a continuous
botnet attack, which is causing major performance issues. I'm trying to
use apache's access control mechanism to block these requests.

Two characteristics of the attack requests are that they all use
HTTP/1.0, and a large percentage of them are within one domain.

When I look at my access log, most requests are coming in from:
134.230.153.27.broad.pt.fj.dynamic.163data.com.cn
129.199.159.27.broad.pt.fj.dynamic.163data.com.cn
...etc.

i tried blocking access using Apache's Deny From as follows:

<Directory /opt/drupal-7/>
�� Options +FollowSymLinks
�� AllowOverride All
�� Order Allow,Deny
�� Allow from all
�� Deny from .broad.pt.fj.dynamic.163data.com.cn
</Directory>

However this did not work - all requests are still being allowed in.
Note that the /opt/drupal-7 directory is a symlink to the actual
directory which has the full version number.

Also, since all the botnet requests are marked as HTTP/1.0, I tried to
restrict access to the user-registration pages using the protocol, as
follows:

SetEnvIf Request_Protocol "^HTTP/1\.0$" Bad_Req
<Location /utenti>
��� Order Allow,Deny
��� Deny from env=BadReq
</Location>

However this is blocking everything - HTTP/1.0 or 1.1. "/utenti" is the
prefix to the user registration page, password-reset page etc. I tried
changing around the Order, adding an "Allow from all" but in each case I
either end up blocking everyone or letting all requests through.

I'd appreciate any advice on how to implement the above or resolve this
issue in some other way.

--
Ramon Casha

Note: I have no control over the disclaimer message that will invariably
appear below.


DISCLAIMER

The information transmitted in this message and any attachments is strictly confidential and intended only for the individual or entity to whom it is addressed.
Any form of unauthorised review, transmission, disclosure, publication, reproduction, modification or other use of, or the taking of any action in reliance upon any of the information contained in this e-mail by individuals or entities other than the intended recipient is strictly prohibited.
If you are not the named addressee or the person responsible for delivering the message to the named addressee and have received this communication in error, you must not disclose the contents of this e-mail to any other person; or make any copies thereof. If you are not the named recipient please delete/destroy any and all copies that may exist, whether in electronic or hard copy for and notify us immediately on the phone number indicated above and provide us with details about the said e-mail received in error.
Since the Internet is not a secure medium Megabyte cannot guarantee the privacy or confidentiality of any e-mail communications transmitted. All messages sent to and from Megabyte Ltd may be monitored and/or recorded to ensure compliance with internal policies and procedures. We disclaim all responsibility and liability whatsoever in relation to any errors or omissions that may reveal themselves in this message and in relation to any damage that may result from any such errors or omissions. We disclaim all responsibility and liability for any damage that may arise from the unauthorised acts of third parties and/or the corruption of any data contained in this message.
Thank you.



--------------000900040507060305030806--