Stopping an attack
NancyDru - May 10, 2008 - 16:51
One of my sites is under bombardment by a malicious, albeit ineffective, attacker. His attempt end in 403 or 404 errors. Is there a way I can deliberately build in a 5-10 second delay before the error page is displayed. I think that would further frustrate him.
http://drupal.org/project/php
http://drupal.org/project/phpids might be worth looking at
===
"Give a man a fish and you feed him for a day.
Teach a man to fish and you feed him for a lifetime." -- Lao Tzu
"God helps those who help themselves." -- Benjamin Franklin
"Search is your best friend." -- Worldfallz
Thanks
I'll check it out. My search didn't find that one because it doesn't have "hacker" in it. I found Troll, but it doesn't look promising.
Delay
if the error page is php you could use
<?phpsleep(int seconds)
?>
___________________
It’s in the detaιls…
demonstration portfolio
Thought about that until I saw this
http://drupal.org/node/131050
DOS attacks
DOS attacks usually come from scripts and delays won't do anything but suck resources out of your server.
If there there is anything predictable about the requests, such as referrers, requested URLs, IP addresses, etc., you may be able to block them at the server level with a simple Apache directive.
With mod_access: http://httpd.apache.org/docs/1.3/mod/mod_access.html
With mod_rewrite: http://www.bhatt.id.au/article/41/
With mod_security: http://atomicplayboy.net/blog/2005/01/30/an-introduction-to-mod-security...
Yes, and no
There are some similarities. Generally, they seem to try some string (a command of some kind) in several different forms. Such as
http://nanwich.info/sitedoc/components/com_artlinks/artlinks.dispnew.php...?
http://nanwich.info/components/com_artlinks/artlinks.dispnew.php?mosConf...?
http://nanwich.info/sitedoc/table/components/com_artlinks/artlinks.dispn...?
I have been reading articles on those facilities. The problem is that he keeps trying different strings and different IP addresses.
He won this time because I took the site offline for a while.
Nancy Dru (formerly Nancy W. until I got married to Drupal)
Find the internet service
Find the internet service providers of every ip adres that you are getting this from and report the matter.
.htaccess deny the ip addresses you do have (although if it is coming from people's pc's then you could be blocking potential visitors)
I have reported several
But most reports bounce. The few that didn't I never hear from again. Certainly I can block IPs, but I see lots of articles on the web that speak to the futility of doing so. Maybe it will help in the short run.
One thing I see in the requests is that at least half of them contain double slashes, which no real Drupal request would. I'm reading the Apache docs to see how to write a rule to block those to start with.
Nancy Dru (formerly Nancy W. until I got married to Drupal)
Here are some more
Here are some more tips:
http://www.webmasterworld.com/webmaster/3222779.htm
http://forums.invisionpower.com/index.php?showtopic=270753
http://forums.invisionpower.com/index.php?showtopic=270133
Thanks
These look more like hacking (injection) attacks rather than DOS, although their frequency could result in that.
And my host just said they don't have ModSecurity...
Nancy Dru (formerly Nancy W. until I got married to Drupal)