How come 403 errors still use bandwidth?

[felosi]

For some reason I have a site I am hosting that has been under a vampire like attack for some time. We already banned the useragent and the user banned all the ips in htaccess. So each of the bots only get a 403 when they hit the site yet the user is using over 500gb bandwidth per week all from the 403 errors. How big is the 403 response? Also it seems to still cause heavy php resource usage, is it also invoked in php?

Would having a custom error page help?

 

[mistwang]

There are still response header and body with 403 error page, it still consume bandwidth, it wont use PHP unless the custom error page is written in PHP.
You may want to block those IP at firewall level.

 

[Himanshu]

There are still response header and body with 403 error page, it still consume bandwidth, it wont use PHP unless the custom error page is written in PHP.
You may want to block those IP at firewall level.

I agree with you, Otherwise may be a simple mistake when download and uploading time from ftp. If he rename that page and from direct server and when bot come to crawl than it found 403 error on old page.

 

[chandran]

I have same problem. The 403 page consume about 300GB per day from my server bandwidth. The problem is i can't block attackter IP because he use more than 5000 bots and how i can block them ???
Also LS don't support DROP in mod_security, which apache support. I think you sould think about it.
No one of optimized ddos settings help me, my server receive 14000 Re/Sec (70Mb/s) attack and litespeed only can limit proces by the user. I think if only Drop work,everything gose ok.

 

[chandran]

Also there is another problem with it. "nolog" don't work when i use this rule:
SecRule REQUEST_HEADERS:User-Agent "AttackBot" "deny,nolog,status:403"

The LS start create error logfile with 2GB size and rotate them. 250GB of my hard drive used by error log file of one of my server website which was under attack. how i can limit error log size or disable error log or error log rotate ?

 

[mistwang]

This should have been addressed in the latest 4.0.12 build, please download and upgrade manually again.
We will add DROP support to 4.1RC3 release.

 

[chandran]

i have 4.0.12 . but Drop don't work on it.

 

[mistwang]

"nolog" issue was addressed in latest 4.0.12 build, "DROP" action will be added in 4.1RC3.

 

[chandran]

Hi
i installed this new version some days ago. but when i use this rules in Mod_secuirty:
SecRule REQUEST_HEADERS:User-Agent "AttackBot" "deny,nolog,status:403"
the LW try create log file 2000MB and rotate it with new one and continue...
do you mean you fix it now and i should re-install this version again ?

 

[mistwang]

Yes, download and do an upgrade.