Flutterby™! : DOS attack 2006-01-14 00:44:38.523151+00

DOS attack

2006-01-14 00:44:38.523151+00 by Dan Lyke 4 comments

Yow! Went to make an entry on Flutterby and noticed the server was running slow. Looked at the process table and the log and... well... the server was dealing with hundreds of referrer spammer requests. I've put together a quick hack which gives a simple text/plain response to the common keywords, apologies if you've been trying to get to the site from a domain that mentions "viagra" or any of a number of other keywords and phrases.

And, wow, we're going to have to Balkanize the net soon.

When I was getting hammered on my blog by referer and commenter spam, I started using the Bad Behavior plugin on wordpress, which tries to detect naughtiness and will eventually start denying responses to bad ips. The problem is, of course, that it's written in php, so by the time it figures out that a given request is from someone who is misbehaving, you've already incurred a huge fraction of the total cost of processing his request. What I did next was to write a Python script that was run every five minutes, and would read the IP addresses of everyone in the database who'd been bad in the last twenty four hours, and then add them to a .htaccess "Deny" line. That worked much better, and I haven't had much trouble since (knock on wood).

They do dummy requests to pages so that referrer trackers will show updates from them. I used to have a referrer tracker (and it showed some interesting stuff) until the first wave, but this wave they hit every page, including the ones that do a lot of database access.

I dropped the server, added a simple check to my framework for the keywords they included in their domain names that returns a text/plain message, and the attack subsided quickly.

Ah.. so that it shows a link on your site back to the referrer. OK, I remmeber that oproblem now. Thwack gracefully accepted.