Slow Site

[ray]

Sorry for the slow site this weekend. Worm infected machines have been sending an insane amount of requests to the site which is essentially resulting in a denial of service attack.

I'm working at locating a script to prevent the web server from processing these requests.

[ray]

I think I fixed it. I added the following to .htaccess:
RewriteEngine ON
RewriteCond %{QUERY_STRING} ^(.*)wget\%20 [OR]
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)Echr(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)esystem(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR]
RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b
RewriteRule ^.*$ http://127.0.0.1/ [L,R=301]

This should block the following traffic:
64.27.4.160 - - [18/Jun/2006:20:58:07 -0400] "GET /viewtopic.php?t=3492&highlight=%2527%252Esystem(chr(112)%252Echr
(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%
252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(
114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%
252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr
(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%2
52Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 301 759 "-" "Mozilla/4.0"

[wirednut]

That's sweet. I didn't know they were using smilies in shell scripts these days.

[dhoyne]

Anyone else see that and hear the wa-wa-wa-wa sound of adults talking in a Peanuts cartoon?

[nrvale0]

http://www.modsecurity.org/documentatio ... multipage/

[SCIN]

Very nice. Thanks.

[Mike Jones]

Beat me to it, Nathan. Additionally Ray, do you have snort on or out in front of your web server?

[SCIN]

I'd rather not do snort flexible response (inline). I'm not a big fan of session sniping unless you want to buy Sourcefire's 3D system for me.

[Mike Jones]

i know this thread is about a month old, but i came across a decent mod_security overview and thought you might enjoy -- http://www.howtoforge.com/apache_mod_security_p2