[NBLUG/talk] webserver abuse
jake at nblug.org
Mon Jan 24 16:11:02 PST 2005
On Mon, 2005-01-24 at 15:22, Bob Blick wrote:
> I use awstats to generate stats on my vanity website. Normally there is
> about 200 to 250 megs a day of traffic, but last Wednesday I had triple
> that, and it was all from one ip address, 126.96.36.199 which was going
> through my site one link at a time, and then repeating over and over.
> Whois on it leads me to some place in Iran. I grep my logs for similar
> numbers, and I see some traffic from similar numbers, all whois the same
> name as the technical contact. So I just decided to block all of Iran in
> my .htaccess file:
That will techincally solve the problem of them accessing parts of your network (in this case the web server).
Why not just block them at the edge router? Or using the firewall on the webserver?
I think blocking in a apache can be just fine, but dropping the packets entirely might be more useful.
Also, you might want to try tar pitting it with a cgi that delivers data very slowly, so they crawl one page and continue to do so until it's done loading, only to crawl the links of that page that are also part of the tar pit.
If it's a script that grabs it, you might want to just make it the first link, a non human readable one.
Or even setup a cgi that only gives that link to them if they come from that ip range.
Just some ideas.
What you've done is perfectly fine, I just like to experiment with other peoples computing time. :-)
Jacob Appelbaum <jake at nblug.org>
More information about the talk