Tuesday, September 23, 2008

RewriteRules - A Quick Denial-of-Service Attack Solution

One of my client's boxes was absolutely dragging earlier today. The load was way higher than usual, even though nothing substantial had changed on the server. Looking at the web logs I realized that the vast majority of the traffic was coming from two unique IP addresses. I do believe, we were getting DoS attacked.

Because this was a live site, I needed a quick fix. And I needed one that wouldn't require updating firewall rules or other low level box settings. The last thing I wanted to do was to make the problem worse.

I ended up writing the following RewriteRule:

 RewriteCond %{REMOTE_HOST} 72.95.41.173 [OR]
 RewriteCond %{REMOTE_HOST} 72.78.35.231
 RewriteRule ^.* /disabled.php [L]

This rule says that if the client's IP address is either of the two listed, then send them to the disabled.php page. This page then gives them a message that tells them they've been denied access to our server.

As soon as I put this rule in place, the load on the server went back to a normal level. Of course, the web server is still getting beaten up by these IPs, but this simple rewrite rule is efficient enough that it doesn't care.

This rewrite solution is also easy for me to test - just drop my own IP in there and I can see what they're seeing.

This won't be our long term solution, but for getting the box back to a usable state in a hurry, it worked like a champ.

Understanding rewrite rules has to be among the top 10 best skills computer I've ever learned. Sure, they're a pain, but boy are they worth it.

1 comment:

  1. now all you need is a small script to periodically look through the logs and update the IP 'disable' list

    ReplyDelete