Black hole with litespeed ?

Discussion in 'General' started by wanah, Oct 29, 2013.

  1. wanah

    wanah Member

    Hello,

    One of our customers websites is victim of the Pushdo virus.

    This virus generates a few hundred domains and does random calls to these domains to hide it's real trafic.

    In 20 days our customer's website index page was viewed 25 million times by this botnet.

    So far the useragent hasn't changed so we are blocking the useragent. The requests are also sent by post so we will block post and only allow get calls if the useragent changes.

    It's not possible to set up a firewall for these calls as there are too many ip's to block.

    To limit the problem I'm currently defending the site with the following in it's htaccess file :

    Code:
    ErrorDocument 403 "403"
    RewriteEngine on
    RewriteCond %{HTTP_USER_AGENT} ^Mozilla\/4(.*)$
    RewriteRule .* - [F]
    The first line means the server responds only "403" (3 bytes) and not a full html page.

    Is there a way to go a step further and not respond at all ?

    In otherwords black hole / ignore the requests in order to save the 3 bytes of bandwidth used by each request.
  2. mistwang

    mistwang LiteSpeed Staff

    change the last line of your rewrite rule to
    LSWS enterprise will reset connections from that IP, refuse to serve any request. more efficient than [F] flag. it is a LiteSpeed specific feature.
  3. wanah

    wanah Member

    I've just tested and with this setting requests are getting through.

    It seems the first time they get through then the next times they are blocked, however it's never the same IP's so it doesn't seem to be helping.

    With :
    Code:
    RewriteCond %{HTTP_USER_AGENT} ^Mozilla\/4(.*)$
    RewriteRule .* - [E=blockbot:1]
    I get :

    Code:
    IP - - [29/Oct/2013:15:35:25 +0100] "POST / HTTP/1.1" 200 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    

    With :

    Code:
    RewriteCond %{HTTP_USER_AGENT} ^Mozilla\/4(.*)$
    RewriteRule .* - [F]
    I get :

    Code:
    IP - - [29/Oct/2013:15:36:43 +0100] "POST / HTTP/1.1" 403 3 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    
  4. mistwang

    mistwang LiteSpeed Staff

    do not judge it based on access log. the "200 0" entry means that LSWS close the connection immediately without sending back anything, just does not change the status code.

    And you can combine it with [F] flag if you want.
    No matter how big the botnet, they will reuse IP.
  5. wanah

    wanah Member

    How would I combine it ? Like this ?

    Code:
    RewriteRule .* - [E=blockbot:1,F]
    Or maybe like this ?

    Code:
    RewriteCond %{HTTP_USER_AGENT} ^Mozilla\/4(.*)$
    RewriteRule .* - [E=blockbot:1]
    
    RewriteCond %{HTTP_USER_AGENT} ^Mozilla\/4(.*)$
    RewriteRule .* - [F,L]
    Last edited: Oct 29, 2013
  6. mistwang

    mistwang LiteSpeed Staff

    first one is fine.
  7. wanah

    wanah Member

    With :
    Code:
    RewriteRule .* - [E=blockbot:1,F]
    I'm still getting success codes (200)

    I also tried inversing it :

    Code:
    RewriteRule .* - [F,E=blockbot:1]
    When I get a success code the server opens the users file as it gives the filesize whereas with a 403 error it gives the size of the error message.
  8. mistwang

    mistwang LiteSpeed Staff

    wait for 4.2.5, blockbot will change status code to 403 in the access log. but it is just cosmetic. It will be available today or tomorrow.
  9. wanah

    wanah Member

    Great, thanks :)
  10. wanah

    wanah Member

    Hello,

    Will 4.2.5 also prevent litespeed from actually opening the file to get it's size an printing it to the access logs ?

    I believe this file size is counted towards the users bandwidth in cPaneland while the 403 error manages to get the bandwidth down to 3 bytes per call the RewriteRule .* - [E=blockbot:1] rule should'nt add any bandwidth to the users account and shouldn't use up the ressources required to get the file size.
  11. mistwang

    mistwang LiteSpeed Staff

    It should have "403 0" in access log.
  12. wanah

    wanah Member

    Hello,

    I've just tested this with litespeed 4.2.5

    403 is working but is not at 0…

    Code:
    IP - - [18/Nov/2013:08:56:03 +0100] "POST / HTTP/1.1" 403 64159 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    
    Any chance of fixing this to make the size 0 and not the actual file size ?
  13. mistwang

    mistwang LiteSpeed Staff

    Just add

    ErrorDocument 403 ""

    in .htaccess
  14. wanah

    wanah Member

    Sorry this doesn't work.

    Code:
    ErrorDocument 403 "403"
    RewriteRule .* - [F]
    => 3 bytes (403), the Error Docuemnt size is respected.

    Code:
    ErrorDocument 403 "403"
    RewriteRule .* - [E=blockbot:1]
    Number of bytes : the actual file size so variable... here for example it's 64159 so thats about 64KB.

    The problem is that we need a solution so that theses errors don't coun't in user's bandwidth while not responding at all.

    Seems the 403 is fixed but the server still opens the file that is requested to get the file size and add it to the logs so it's counted in users bandwidth.
  15. wanah

    wanah Member

    Hello,

    We have still got this issue and are having another issue: because of the number of tries to show the webpage, it's writing thousands of lines to the user's access log files.

    Is there a way to no log these entries for this domain ?
  16. mistwang

    mistwang LiteSpeed Staff

    Please change rewrite rule to

    RewriteRule .* - [E=blockbot:1,E=dontlog:1]

Share This Page