Black hole with litespeed ?

wanah

Well-Known Member
#1
Hello,

One of our customers websites is victim of the Pushdo virus.

This virus generates a few hundred domains and does random calls to these domains to hide it's real trafic.

In 20 days our customer's website index page was viewed 25 million times by this botnet.

So far the useragent hasn't changed so we are blocking the useragent. The requests are also sent by post so we will block post and only allow get calls if the useragent changes.

It's not possible to set up a firewall for these calls as there are too many ip's to block.

To limit the problem I'm currently defending the site with the following in it's htaccess file :

Code:
ErrorDocument 403 "403"
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^Mozilla\/4(.*)$
RewriteRule .* - [F]
The first line means the server responds only "403" (3 bytes) and not a full html page.

Is there a way to go a step further and not respond at all ?

In otherwords black hole / ignore the requests in order to save the 3 bytes of bandwidth used by each request.
 

mistwang

LiteSpeed Staff
#2
change the last line of your rewrite rule to
RewriteRule .* - [E=blockbot:1]
LSWS enterprise will reset connections from that IP, refuse to serve any request. more efficient than [F] flag. it is a LiteSpeed specific feature.
 

wanah

Well-Known Member
#3
I've just tested and with this setting requests are getting through.

It seems the first time they get through then the next times they are blocked, however it's never the same IP's so it doesn't seem to be helping.

With :
Code:
RewriteCond %{HTTP_USER_AGENT} ^Mozilla\/4(.*)$
RewriteRule .* - [E=blockbot:1]
I get :

Code:
IP - - [29/Oct/2013:15:35:25 +0100] "POST / HTTP/1.1" 200 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

With :

Code:
RewriteCond %{HTTP_USER_AGENT} ^Mozilla\/4(.*)$
RewriteRule .* - [F]
I get :

Code:
IP - - [29/Oct/2013:15:36:43 +0100] "POST / HTTP/1.1" 403 3 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 

mistwang

LiteSpeed Staff
#4
do not judge it based on access log. the "200 0" entry means that LSWS close the connection immediately without sending back anything, just does not change the status code.

And you can combine it with [F] flag if you want.
No matter how big the botnet, they will reuse IP.
 

wanah

Well-Known Member
#5
How would I combine it ? Like this ?

Code:
RewriteRule .* - [E=blockbot:1,F]
Or maybe like this ?

Code:
RewriteCond %{HTTP_USER_AGENT} ^Mozilla\/4(.*)$
RewriteRule .* - [E=blockbot:1]

RewriteCond %{HTTP_USER_AGENT} ^Mozilla\/4(.*)$
RewriteRule .* - [F,L]
 
Last edited:

wanah

Well-Known Member
#7
With :
Code:
RewriteRule .* - [E=blockbot:1,F]
I'm still getting success codes (200)

I also tried inversing it :

Code:
RewriteRule .* - [F,E=blockbot:1]
When I get a success code the server opens the users file as it gives the filesize whereas with a 403 error it gives the size of the error message.
 

mistwang

LiteSpeed Staff
#8
wait for 4.2.5, blockbot will change status code to 403 in the access log. but it is just cosmetic. It will be available today or tomorrow.
 

wanah

Well-Known Member
#10
Hello,

Will 4.2.5 also prevent litespeed from actually opening the file to get it's size an printing it to the access logs ?

I believe this file size is counted towards the users bandwidth in cPaneland while the 403 error manages to get the bandwidth down to 3 bytes per call the RewriteRule .* - [E=blockbot:1] rule should'nt add any bandwidth to the users account and shouldn't use up the ressources required to get the file size.
 

wanah

Well-Known Member
#12
Hello,

I've just tested this with litespeed 4.2.5

403 is working but is not at 0…

Code:
IP - - [18/Nov/2013:08:56:03 +0100] "POST / HTTP/1.1" 403 64159 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
Any chance of fixing this to make the size 0 and not the actual file size ?
 

wanah

Well-Known Member
#14
Sorry this doesn't work.

Code:
ErrorDocument 403 "403"
RewriteRule .* - [F]
=> 3 bytes (403), the Error Docuemnt size is respected.

Code:
ErrorDocument 403 "403"
RewriteRule .* - [E=blockbot:1]
Number of bytes : the actual file size so variable... here for example it's 64159 so thats about 64KB.

The problem is that we need a solution so that theses errors don't coun't in user's bandwidth while not responding at all.

Seems the 403 is fixed but the server still opens the file that is requested to get the file size and add it to the logs so it's counted in users bandwidth.
 

wanah

Well-Known Member
#15
Hello,

We have still got this issue and are having another issue: because of the number of tries to show the webpage, it's writing thousands of lines to the user's access log files.

Is there a way to no log these entries for this domain ?
 
Top