Flutterby™! : DOS attack

Next unread comment / Catchup all unread comments User Account Info | Logout | XML/Pilot/etc versions | Long version (with comments) | Weblog archives | Site Map | | Browse Topics

DOS attack

2006-01-14 00:44:38.523151+00 by Dan Lyke 4 comments

Yow! Went to make an entry on Flutterby and noticed the server was running slow. Looked at the process table and the log and... well... the server was dealing with hundreds of referrer spammer requests. I've put together a quick hack which gives a simple text/plain response to the common keywords, apologies if you've been trying to get to the site from a domain that mentions "viagra" or any of a number of other keywords and phrases.

And, wow, we're going to have to Balkanize the net soon.

[ related topics: Flutterby Meta Net Culture ]

comments in ascending chronological order (reverse):

#Comment Re: made: 2006-01-14 02:04:10.66659+00 by: mvandewettering

When I was getting hammered on my blog by referer and commenter spam, I started using the Bad Behavior plugin on wordpress, which tries to detect naughtiness and will eventually start denying responses to bad ips. The problem is, of course, that it's written in php, so by the time it figures out that a given request is from someone who is misbehaving, you've already incurred a huge fraction of the total cost of processing his request. What I did next was to write a Python script that was run every five minutes, and would read the IP addresses of everyone in the database who'd been bad in the last twenty four hours, and then add them to a .htaccess "Deny" line. That worked much better, and I haven't had much trouble since (knock on wood).

#Comment Re: made: 2006-01-14 04:55:24.835526+00 by: meuon

Can you define in simpler terms what a referrer spammer request is?

#Comment Re: made: 2006-01-14 05:31:44.414636+00 by: Dan Lyke

They do dummy requests to pages so that referrer trackers will show updates from them. I used to have a referrer tracker (and it showed some interesting stuff) until the first wave, but this wave they hit every page, including the ones that do a lot of database access.

I dropped the server, added a simple check to my framework for the keywords they included in their domain names that returns a text/plain message, and the attack subsided quickly.

#Comment Re: made: 2006-01-14 13:15:18.934529+00 by: meuon

Ah.. so that it shows a link on your site back to the referrer. OK, I remmeber that oproblem now. Thwack gracefully accepted.