sven2012
asked on
Disallow access to certain page from blank referrer with .htaccess
I am having some trouble with DDOS attacks lately again.
Basically I want to disallow access to a certain path.
example from log file:
109.242.25.254 - - [23/Mar/2013:16:09:35 +0100] "GET /?op=my_account HTTP/1.1" 200 4218 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10
so I want to disallow access from blank referrers or "-" referrers to the path "?op=my_account" and just send them to a 403 page.
I started this like this with htaccess:
RewriteEngine on
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteRule .*op=my_account$ - [F]
but somehow this wont work.
I think I am missing something in the second line?
Basically I want to disallow access to a certain path.
example from log file:
109.242.25.254 - - [23/Mar/2013:16:09:35 +0100] "GET /?op=my_account HTTP/1.1" 200 4218 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10
so I want to disallow access from blank referrers or "-" referrers to the path "?op=my_account" and just send them to a 403 page.
I started this like this with htaccess:
RewriteEngine on
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteRule .*op=my_account$ - [F]
but somehow this wont work.
I think I am missing something in the second line?
RewriteCond %{HTTP_REFERER} ^\s*$
RewriteRule .* - [F]
# but I don't see how this does prevent from (D)DoS attacks, you'll encounter the same load
# you need to filter this kind of attacks at your firewall
RewriteRule .* - [F]
# but I don't see how this does prevent from (D)DoS attacks, you'll encounter the same load
# you need to filter this kind of attacks at your firewall
ASKER
this would prevent accessing all sites from no or - referrer, not only to the script "my_account".
I did it like this now, but still it seems not to work?!
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?mysite .com [NC]
RewriteCond %{QUERY_STRING} ^op=my_account$
RewriteRule ^$ - [F]
I did it like this now, but still it seems not to work?!
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?mysite
RewriteCond %{QUERY_STRING} ^op=my_account$
RewriteRule ^$ - [F]
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Just a couple notes on this strategy...
1) As ahoffmann mentioned earlier, you cannot stop DDoS by filtering at the server. A DDoS attack depends on presenting a huge number of requests to the server in order to consume all available resources it has for dealing with more requests. By offloading the request handling to mod_rewrite instead of your application, you are just shifting the load from the left hand to the right, so to speak. If you are facing DDoS attacks, you will need to work with your upstream providers to isolate and block the traffic before it finds you.
2) Filtering on client-provided information, such as the referrer or user agent, will do nothing for you. These values are commonly manipulated by attackers to avoid those exact defenses, and it is a trivial exercise to cloak a malicious request to appear as though it were valid. In the case of DDoS, because the return is incidental to the purpose of the request, even the remote address can be spoofed.
If you have a particular page being attacked, it probably is not a DDoS, but rather an attempt to break your application, or to re-purpose your application for their own use (e.g., sending mail, posting suspect links on an account, etc.).
1) As ahoffmann mentioned earlier, you cannot stop DDoS by filtering at the server. A DDoS attack depends on presenting a huge number of requests to the server in order to consume all available resources it has for dealing with more requests. By offloading the request handling to mod_rewrite instead of your application, you are just shifting the load from the left hand to the right, so to speak. If you are facing DDoS attacks, you will need to work with your upstream providers to isolate and block the traffic before it finds you.
2) Filtering on client-provided information, such as the referrer or user agent, will do nothing for you. These values are commonly manipulated by attackers to avoid those exact defenses, and it is a trivial exercise to cloak a malicious request to appear as though it were valid. In the case of DDoS, because the return is incidental to the purpose of the request, even the remote address can be spoofed.
If you have a particular page being attacked, it probably is not a DDoS, but rather an attempt to break your application, or to re-purpose your application for their own use (e.g., sending mail, posting suspect links on an account, etc.).
ASKER
This solution worked now for me:
RewriteCond %{HTTP_REFERER} ^-?$
RewriteCond %{QUERY_STRING} ^op=my_account$
RewriteRule ^$ - [F]
as for the attack: in this case this little modification helped as I had thousands of request from bots or proxa nets to this certain page.
If you are not logged in this page still redirects you the registration page which consumes load like images, cgi script time etc.
by disallowing access from non referals from my site a huge load has been taken of the server.
this solution seemed to be less work for me and with an immediate effect.
a real DDOS attack wouldn't be such easy to handle, so let's call this one spambot attack :)
Thanks to everyone for the help!
RewriteCond %{HTTP_REFERER} ^-?$
RewriteCond %{QUERY_STRING} ^op=my_account$
RewriteRule ^$ - [F]
as for the attack: in this case this little modification helped as I had thousands of request from bots or proxa nets to this certain page.
If you are not logged in this page still redirects you the registration page which consumes load like images, cgi script time etc.
by disallowing access from non referals from my site a huge load has been taken of the server.
this solution seemed to be less work for me and with an immediate effect.
a real DDOS attack wouldn't be such easy to handle, so let's call this one spambot attack :)
Thanks to everyone for the help!
ASKER
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?mysite
RewriteRule ^\?op=my_account$ - [F]