[nycphp-talk] Urgent: Help in Defending Attack
Michael Sims
jellicle at gmail.com
Thu Feb 28 11:10:14 EST 2008
On February 28, 2008, Randal Rust wrote:
> On Thu, Feb 28, 2008 at 10:33 AM, Cliff Hirsch <cliff at pinestream.com>
wrote:
> > What kind of hit? Does the url have "attack" strings? Check out phpids
> > -- might help.
>
> here is what i know:
>
> 1. got up this AM and was getting error messages that there are too
> many connections to the database
> 2. the hosting company looked at the server logs and sent me this:
>
> 7-0 28568 0/1/1 W 0.08 5 0 0.0 0.01 0.01 64.185.201.77
> ohiohistorycentral.org GET /entry.php?rec=891 HTTP/1.0
You know, all modern browsers - for the last ten years - use http/1.1 rather
than 1.0. So you can probably just discard all http/1.0 requests as being
clearly the work of machines rather than humans.
> 16-0 28585 0/2/2 W 0.08 2 0 0.0 0.03 0.03 127.0.0.1
> localhost.localdomain GET /dsm-server-status HTTP/1.0
Your monitoring software will stop working if you do.
Also, if you're running a niche site which it appears you are, feel free to
ban areas of the world that annoy you. I see you have requests coming in
from Mumbai, Japan, Spain, etc. It seems unlikely that these are people
actually interested in the history of Ohio. So feel free, at the server or
Apache level, to just deny requests from large swathes of the IP address
space. You won't lose many (or any) legitimate viewers.
You should solve this problem at the server or Apache level (or higher), not
at the PHP level. I don't know how much control you have over the server,
but if it's your machine, you can use, e.g., hosts.deny to block IP address
ranges that annoy you.
Michael Sims
More information about the talk
mailing list