Spammers: a lot of queries to non existing pages
tomceek - June 10, 2008 - 08:45
I have big problem: a lot of queries per second to non existing pages like www.site.com/' uri '/' uri '/' uri '/' uri '/' uri '/' uri '/' uri '/' uri '/' uri '/' uri '/' uri '/' uri '/' uri '/' uri ' and so on.
My site bandwidth is up 15-20 times up to 20GB per day :(
my server is often downtime...
Which module could fight to these types of attacks?
Please help!
Thanks for any answer
This sort of denial of
This sort of denial of service attack really needs to be dealt with at the webserver level before Drupal ever gets involved - suggest you talk to your webhost.
Also I can't quite decipher the URL you have given of the example non-existent page?
gpk
----
www.alexoria.co.uk
A possibility...
If the spam requests are coming from a single or well-defined set of IP addresses then you can go to admin/user/rules to add a rule to block all page requests from the relevant IP(s). This might be workable fix until you manage to get it handled directly in Apache.
gpk
----
www.alexoria.co.uk
Deny from
If your hosting provider allows AllowOverride Limit (many do) and the perps are coming from specific IP addresses, just use
Deny from
to block particular IPs.
If they aren't, you'll have to use mod_rewrite to match on the URL.
IP's are dynamic so in few
IP's are dynamic so in few days I have created long deny by IP list manually - no effect, attacks still continues.
I need other solution/module to restrict or to do somewhat to ban IP which generates a lot of queries in short time...
My host provider also banning IP's manually so they cannot help or don't want fight with dynamical IP...
OK then you need to identify
OK then you need to identify DOS page requests by the URL. I think mod_security is what tends to be used at the Apache level http://www.google.co.uk/search?hl=en&q=apache+mod_security&btnG=Google+S..., but you'd probably have to get your host to set up/configure this.
Is the example URL you posted orignally correct? Seems to have a lot of spaces in it?
A final approach would be to put some code in your settings.php to deny dubious requests, assuming that the URLs have a pattern that can be captured e.g. in a regex. (settings.php is run in the first bootstrap phase, even before the standard Drupal access checking - see http://api.drupal.org/api/function/_drupal_bootstrap/5.)
gpk
----
www.alexoria.co.uk
yes url is correct it
yes url is correct it sometimes wary to be sorter or lengthier and always queries goes to non existing pages 404.
Thanks for help I will try to discuss these issues with my hosting provider
Is there a minimum number of
Is there a minimum number of times the pattern
/' uri 'appears after the initial www.site.com? And do you actually see "uri" or something else? Is it random characters?
If your host can't help then might be best if you can post back some actual different examples of non-existent URLs the DOS used.
gpk
----
www.alexoria.co.uk
AVG LinkScanner
This could be because of AVG's LinkScanner utility. We had an issue with this at work a short while ago, where we had a lot of similar patterns in our logs like those described here. I've written a few blog posts to explain things: http://thyrhaug.net/2008/06/avg-and-their-not-that-impressive-linkscanne... and http://thyrhaug.net/2008/06/avgs-linkscanner-now-using-a-valid-ie-user-a...
Very interesting. Sounds
Very interesting. Sounds like the original problem should be fixable quite easily then. (Pro tem it would even be straightforward to block the requests with all the "uri" parts, using .htaccess - though I suspect the op has long since found a solution by now.) AVG DDOS's a Drupal site ... well well ...
gpk
----
www.alexoria.co.uk
I've had a similar problem
I've had a similar problem which I can't reproduce right now. It was with something like /rss/rss/rss/... in the URL. I'm trakking this to see if there are more ideas.