__/ [nospam@xxxxxxxxxxxxx] on Thursday 13 October 2005 19:24 \__
> In: <dik843$2j2l$1@xxxxxxxxxxxxxxxxx>, Roy Schestowitz
> <newsgroups@xxxxxxxxxxxxxxx> wrote:
>>For the past week or two there has been a gradual increase in the amount
>>of referrer spam, hitting heavy pages specifically. I have re-directed all
>>such requests to 403.shtml, but I currently get nearly 10,000 page
>>requests that are spam every day. I checked the logs for IP addresses, but
>>I can't filter by IP blocks. It's too diverse. Have you got any tricks up
>>your sleeves? I know some tools that combat this, but they need console
>>access if not root access too.
> I'm positive this trick needs root access and there are probably much
> better ways, but, years ago..
> We had a problem like that, viruses infecting all those IIS servers which
> in turn caused them to attempt to infect apache servers.
> What I did, was to firewall them out completely via an automated script.
> This only works if you can determine what is and isn't an attack. The good
> news is you only need to do it once.
> It just drops their connection on the floor, doesn't even bother to tell
> them it failed. (that ties them up, while they sit & wait for it to time
> out they
> can't harass the next one. :-) )
> A "non root" solution might be to feed them a URL that sends oh, 1 byte
> every 30 seconds? (it'd have to flush each time) this probably isn't such
> a great idea if you have a lot of concurrent attacks as it could tie up
> all your server processes, but it could be effective if it's just a few
> two hitting you.
> I can't think of a way to do it w/out having root access. Mucking about
> with firewall rules is obviously the domain of the super user.
Thanks, Jamie. I contacted my host and received a reply last night. It seems
as if it was fruitful. They already had some extra firewall module built
onto the kernel. They did so after the last DoS attack, which brought the
server/s down a few months ago.
I am happy to be seeing a decrease in the number of attacks. The attacks
have been increasing for nearly a week and a half (2?) until yesterday.
This seemed like a scary plague that almost doubled on a daily basis. As to
some worse news, othellomaster.com, which is another domain of mine, begins
to be attacked instead. At least I have some experience and practice this
Roy S. Schestowitz | UNIX: Because a PC is a terrible thing to waste
http://Schestowitz.com | SuSE Linux | PGP-Key: 74572E8E
5:20am up 49 days 17:34, 3 users, load average: 1.12, 0.83, 0.59
http://iuron.com - next generation of search paradigms