Website is being attacked... need advice

Hi,

I think my site is being attacked (possibly DDoSed?) - I’ve received around 150,000+ individual page requests all from a small handful of IP addresses in the last 24 hours. All the requests have the same user agent and originate from ip-pool.com, plusserver.de and server4you.de

I was wondering what would be my best option here in terms of how to block the attack - should I block via individual IP (which will take ages) or is it possible to block the following User agent string (via .htaccess) seeing as they all have the exact user agent see below:

Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x4.90)

If so, how do I block that exact user agent via .htaccess?

Thanks.

Hi orange777, welcome to the forums,

Posting in the Apache forum might get some other options and more detailed replies, but you could try adding something like this to your htaccess file

RewriteCond %{HTTP_USER_AGENT} Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x4.90)
RewriteRule ^(.*) http://%{REMOTE_ADDR}/ [R,L]

This would send all requests back to themselves if their USER AGENT matched - even if they were legitimate.

Hi Mittineague,

I’ll give it a go and let you know how I get on :slight_smile:

Thanks.

You be beter off blocking visitors on ip’s This way risks you to block more visitors then you were planneing to do so.

Hi,

If the site is being ddosed then it is not possible to block hundreds of IPs in firewall. It would be better if you check apache access logs to ensure which URL or file is being targeted. Usually images are being targeted by attackers so make ensure that you have enabled hotlink protection for them.

Secondly harden your server firewall to block the high connections from individual IPs. If attack is still there get the help of your host.

Not so sure about that, you can pretty easily drop connections from massive amounts of IP addresses with any decent firewall. Putting that job on the web server isn’t necessary.