Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id AEEF511894 for ; Wed, 9 Apr 2014 18:28:50 +0000 (UTC) Received: (qmail 40083 invoked by uid 500); 9 Apr 2014 18:28:47 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 39595 invoked by uid 500); 9 Apr 2014 18:28:46 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 39587 invoked by uid 99); 9 Apr 2014 18:28:45 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Apr 2014 18:28:45 +0000 X-ASF-Spam-Status: No, hits=3.1 required=5.0 tests=HTML_FONT_FACE_BAD,HTML_MESSAGE,NORMAL_HTTP_TO_IP,RCVD_IN_DNSWL_LOW,SPF_PASS,URI_HEX X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of vavra@602.cz designates 209.85.223.178 as permitted sender) Received: from [209.85.223.178] (HELO mail-ie0-f178.google.com) (209.85.223.178) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Apr 2014 18:28:40 +0000 Received: by mail-ie0-f178.google.com with SMTP id lx4so2829591iec.37 for ; Wed, 09 Apr 2014 11:28:17 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=otUgbyDBpt+9+BJmd+azXldjSmvtAr/mQF2ovy5Kqbs=; b=c4CP5UN3uXLm3mAhY9Z1dk+2qQM/T6w8GL1WWi2aUHCq8I/txSEWHntqh+mNmfYN8N 7gTzr/VmgTsouqjndCf7eB19X+z1ek4qjQ9o6VXB2GfGXTNtpornvWGy+SZwVBtSTg1R m0nfcVTA0YmB+ag3pPfXkQoVGbUMBp16/NfozX3QzjKpPPoarxi5Pb/dWm/WxBQNUe3f 2K/OKr/wCR9nPj7JM2h9MG66d3HdcxCisLj7cddzsSvNhSV7SyR2js+cngbDLwteeYBH Pkp5L41aGQLHpz0FkjrIYxIK8O+eQHqk4B3nHYXQjzBiAg812oSxQ9Nubjued2sJIYTN DniQ== X-Gm-Message-State: ALoCoQkLYG4y4CKMKcwHT9Aw+iAXxfK94L53O3zhrclhqZQwmCX/4qZcSnNjgCPCNjVGF0aDq/qC MIME-Version: 1.0 X-Received: by 10.50.49.109 with SMTP id t13mr12056495ign.2.1397068097588; Wed, 09 Apr 2014 11:28:17 -0700 (PDT) Received: by 10.64.54.134 with HTTP; Wed, 9 Apr 2014 11:28:17 -0700 (PDT) In-Reply-To: References: <5344F776.4090609@602.cz> <1397031500.21208.22.camel@garfield.megabyte.net> Date: Wed, 9 Apr 2014 20:28:17 +0200 Message-ID: From: =?ISO-8859-1?Q?V=E1vra_Jan?= To: users@httpd.apache.org Content-Type: multipart/alternative; boundary=047d7bdc1234af234104f6a043f1 X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] Access control advice needed --047d7bdc1234af234104f6a043f1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable There could be a problem with reverse dns records. Eg. a hostname www.example.com is translated to ip address x.x.x.x But if the Apache Server asks what is the name of x.x.x.x adress, it could get nothing or a response www.somethingelse.com. So this could be your problem. Jan. 2014-04-09 10:26 GMT+02:00 Ramon Casha : > To be honest I don't want to end up having to maintain the IP blocks > that correspond to the computers that are sending the requests, which is > why I tried using the partial domain name. The apache documentation seems > to suggest this would work: > > A (partial) domain-name *Example:* Allow from apache.org > Allow from .net example.edu > The server is running Linux so I've got iptables but, again, I want to > avoid having to maintain the list of blocked IP addresses. > > The thing is, the methods I described would take care of the problems if = I > could get them to work - blocking all HTTP/1.0 requests to a specific > location, and/or blocking everyone from that server. > > I am currently working around it by adding a bit of PHP code to the drupa= l > settings.php file but I'd like it to be tackled earlier than that - in > apache's access control or iptables for instance. > > > On Erb, 2014-04-09 at 10:44 +0300, Oren wrote: > > Hi Ramon. > Why use apache for the block and not a firewall? its not apache related > but i think its a better way of doing that. > You can add those addresses to blocking rules and reduce the load on the > apache before they even reach it. > I am not sure which os you use but there are simple ways of doing that > even if you dont have dedicated hardware. > > Oren > > On 04/09/2014 10:32 AM, Jan V=E1vra wrote: > > Hello, > try to use an IP address or subnet instead of . > broad.pt.fj.dynamic.163data.com.cn > > Jan. > > I have a website running drupal which is currently under a continuous > botnet attack, which is causing major performance issues. I'm trying to > use apache's access control mechanism to block these requests. > > Two characteristics of the attack requests are that they all use > HTTP/1.0, and a large percentage of them are within one domain. > > When I look at my access log, most requests are coming in from: > 134.230.153.27.broad.pt.fj.dynamic.163data.com.cn > 129.199.159.27.broad.pt.fj.dynamic.163data.com.cn > ...etc. > > i tried blocking access using Apache's Deny From as follows: > > > Options +FollowSymLinks > AllowOverride All > Order Allow,Deny > Allow from all > Deny from .broad.pt.fj.dynamic.163data.com.cn > > > However this did not work - all requests are still being allowed in. > Note that the /opt/drupal-7 directory is a symlink to the actual > directory which has the full version number. > > Also, since all the botnet requests are marked as HTTP/1.0, I tried to > restrict access to the user-registration pages using the protocol, as > follows: > > SetEnvIf Request_Protocol "^HTTP/1\.0$" Bad_Req > > Order Allow,Deny > Deny from env=3DBadReq > > > However this is blocking everything - HTTP/1.0 or 1.1. "/utenti" is the > prefix to the user registration page, password-reset page etc. I tried > changing around the Order, adding an "Allow from all" but in each case I > either end up blocking everyone or letting all requests through. > > I'd appreciate any advice on how to implement the above or resolve this > issue in some other way. > > -- > Ramon Casha > > Note: I have no control over the disclaimer message that will invariably > appear below. > > > > > *DISCLAIMER* > > *The information transmitted in this message and any attachments is > strictly confidential and intended only for the individual or entity to > whom it is addressed.* > *Any form of unauthorised review, transmission, disclosure, publication, > reproduction, modification or other use of, or the taking of any action i= n > reliance upon any of the information contained in this e-mail by > individuals or entities other than the intended recipient is strictly > prohibited.* > *If you are not the named addressee or the person responsible for > delivering the message to the named addressee and have received this > communication in error, you must not disclose the contents of this e-mail > to any other person; or make any copies thereof. If you are not the named > recipient please delete/destroy any and all copies that may exist, whethe= r > in electronic or hard copy for and notify us immediately on the phone > number indicated above and provide us with details about the said e-mail > received in error.* > *Since the Internet is not a secure medium Megabyte cannot guarantee the > privacy or confidentiality of any e-mail communications transmitted. All > messages sent to and from Megabyte Ltd may be monitored and/or recorded t= o > ensure compliance with internal policies and procedures. We disclaim all > responsibility and liability whatsoever in relation to any errors or > omissions that may reveal themselves in this message and in relation to a= ny > damage that may result from any such errors or omissions. We disclaim all > responsibility and liability for any damage that may arise from the > unauthorised acts of third parties and/or the corruption of any data > contained in this message.* > *Thank you.* > > > > > -- > ------------------------------ > > > *Ramon Casha* | Technical Specialist | Software Services > *megabyte ltd* | *e* ramon.casha@megabyte.net > *t* + 356 21421600 | *f* + 356 21421590 | *w* www.megabyte.net > ------------------------------ > > > Please consider your environmental responsibility before printing this > e-mail > > *DISCLAIMER* > > > > > > *The information transmitted in this message and any attachments is > strictly confidential and intended only for the individual or entity to > whom it is addressed.Any form of unauthorised review, transmission, > disclosure, publication, reproduction, modification or other use of, or t= he > taking of any action in reliance upon any of the information contained in > this e-mail by individuals or entities other than the intended recipient = is > strictly prohibited.If you are not the named addressee or the person > responsible for delivering the message to the named addressee and have > received this communication in error, you must not disclose the contents = of > this e-mail to any other person; or make any copies thereof. If you are n= ot > the named recipient please delete/destroy any and all copies that may > exist, whether in electronic or hard copy for and notify us immediately o= n > the phone number indicated above and provide us with details about the sa= id > e-mail received in error.Since the Internet is not a secure medium Megaby= te > cannot guarantee the privacy or confidentiality of any e-mail > communications transmitted. All messages sent to and from Megabyte Ltd ma= y > be monitored and/or recorded to ensure compliance with internal policies > and procedures. We disclaim all responsibility and liability whatsoever i= n > relation to any errors or omissions that may reveal themselves in this > message and in relation to any damage that may result from any such error= s > or omissions. We disclaim all responsibility and liability for any damage > that may arise from the unauthorised acts of third parties and/or the > corruption of any data contained in this message.Thank you.* > > <#145459912488242d_> > > --047d7bdc1234af234104f6a043f1 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
There could be a problem with reverse dns records. Eg= . a hostname www.example.com is tran= slated to ip address x.x.x.x But if the Apache Server asks what is the name= of x.x.x.x adress, it could get nothing or=A0 a response www.somethingelse.com. So this could be your pr= oblem.

Jan.


2014-04-09 10:26 GMT+02:00 Ramon Casha <ramon.casha@mega= byte.net>:
=20 =20 =20
To be honest I don't want to end up having to maintain the IP blocks th= at correspond to the computers that are sending the requests, which is why = I tried using the partial domain name. The apache documentation seems to su= ggest this would work:

A (partial) domain-name

Example:

Allow from apache.o= rg
Allow from .net ex= ample.edu

The server is running Linux so I've got iptables but, again, I want to = avoid having to maintain the list of blocked IP addresses.

The thing is, the methods I described would take care of the problems if I = could get them to work - blocking all HTTP/1.0 requests to a specific locat= ion, and/or blocking everyone from that server.

I am currently working around it by adding a bit of PHP code to the drupal = settings.php file but I'd like it to be tackled earlier than that - in = apache's access control or iptables for instance.


On Erb, 2014-04-09 at 10:44 +0300, Oren wrote:
Hi Ramon.
Why use apache for the block and not a firewall? its not apache related= but i think its a better way of doing that.
You can add those addresses to blocking rules and reduce the load on th= e apache before they even reach it.
I am not sure which os you use but there are simple ways of doing that = even if you dont have dedicated hardware.

Oren

On 04/09/2014 10:32 AM, Jan V=E1vra wrote:

Hello,
=A0try to use an IP address or subnet instead of .broad.pt.fj.dynamic.= 163data.com.cn

Jan.

I have a website running drupal which is currently under a cont= inuous
botnet attack, which is causing major performance issues. I'= ;m trying to
use apache's access control mechanism to block these reques= ts.

Two characteristics of the attack requests are that they all us= e
HTTP/1.0, and a large percentage of them are within one domain.=

When I look at my access log, most requests are coming in from:=
134.230.153.27.broad.pt.fj.dynamic.163data.com.cn
129.199.159.27.broad.pt.fj.dynamic.163data.com.cn
...etc.

i tried blocking access using Apache's Deny From as follows= :

<Directory /opt/drupal-7/>
=A0=A0 Options +FollowSymLinks
=A0=A0 AllowOverride All
=A0=A0 Order Allow,Deny
=A0=A0 Allow from all
=A0=A0 Deny from .broad.pt.fj.dynamic.163data.com.cn
</Directory>

However this did not work - all requests are still being allowe= d in.
Note that the /opt/drupal-7 directory is a symlink to the actua= l
directory which has the full version number.

Also, since all the botnet requests are marked as HTTP/1.0, I t= ried to
restrict access to the user-registration pages using the protoc= ol, as
follows:

SetEnvIf Request_Protocol "^HTTP/1\.0$" Bad_Req
<Location /utenti>
=A0=A0=A0 Order Allow,Deny
=A0=A0=A0 Deny from env=3DBadReq
</Location>

However this is blocking everything - HTTP/1.0 or 1.1. "/u= tenti" is the
prefix to the user registration page, password-reset page etc. = I tried
changing around the Order, adding an "Allow from all"= but in each case I
either end up blocking everyone or letting all requests through= .

I'd appreciate any advice on how to implement the above or = resolve this
issue in some other way.

--
Ramon Casha

Note: I have no control over the disclaimer message that will i= nvariably
appear below.




DISCLAIMER

The information transmitted in this message and any attachme= nts is strictly confidential and intended only for the individual or entity= to whom it is addressed.
Any form of unauthorised review, transmission, disclosure, p= ublication, reproduction, modification or other use of, or the taking of an= y action in reliance upon any of the information contained in this e-mail b= y individuals or entities other than the intended recipient is strictly pro= hibited.
If you are not the named addressee or the person responsible= for delivering the message to the named addressee and have received this c= ommunication in error, you must not disclose the contents of this e-mail to= any other person; or make any copies thereof. If you are not the named rec= ipient please delete/destroy any and all copies that may exist, whether in = electronic or hard copy for and notify us immediately on the phone number i= ndicated above and provide us with details about the said e-mail received i= n error.
Since the Internet is not a secure medium Megabyte cannot gu= arantee the privacy or confidentiality of any e-mail communications transmi= tted. All messages sent to and from Megabyte Ltd may be monitored and/or re= corded to ensure compliance with internal policies and procedures. We discl= aim all responsibility and liability whatsoever in relation to any errors o= r omissions that may reveal themselves in this message and in relation to a= ny damage that may result from any such errors or omissions. We disclaim al= l responsibility and liability for any damage that may arise from the unaut= horised acts of third parties and/or the corruption of any data contained i= n this message.
Thank you.




--


Ramon Casha=A0| Technical Specialist | Softw= are Services=A0
megabyte ltd=A0|=A0e=A0ramon.casha@megabyte.net
t=A0+ 35= 6 21421600 |=A0f=A0+ 356 21421590 |=A0w=A0www.megabyte.net=A0


Please consider your environmental= responsibility before printing this e-mail

DISCLAIMER <= /p>

The information transmitted in this = message and any attachments is strictly confidential and intended only for = the individual or entity to whom it is addressed.
Any form of unauthoris= ed review, transmission, disclosure, publication, reproduction, modificatio= n or other use of, or the taking of any action in reliance upon any of the = information contained in this e-mail by individuals or entities other than = the intended recipient is strictly prohibited.
If you are not the named addressee or the person responsible for delivering= the message to the named addressee and have received this communication in= error, you must not disclose the contents of this e-mail to any other pers= on; or make any copies thereof. If you are not the named recipient please d= elete/destroy any and all copies that may exist, whether in electronic or h= ard copy for and notify us immediately on the phone number indicated above = and provide us with details about the said e-mail received in error.
Since the Internet is not a secure medium Megabyte cannot guarantee the pri= vacy or confidentiality of any e-mail communications transmitted. All messa= ges sent to and from Megabyte Ltd may be monitored and/or recorded to ensur= e compliance with internal policies and procedures. We disclaim all respons= ibility and liability whatsoever in relation to any errors or omissions tha= t may reveal themselves in this message and in relation to any damage that = may result from any such errors or omissions. We disclaim all responsibilit= y and liability for any damage that may arise from the unauthorised acts of= third parties and/or the corruption of any data contained in this message.=
Thank you.=20

=


--047d7bdc1234af234104f6a043f1--