The Planet Forums > I'm getting DoS'd

The Planet Forums > Security > DoS & D-DoS Mitigation

CyberSEAL

Mar 9 2009, 02:32 PM

I have a discussion forum that generally does not see a lot of traffic. For the last two days I've noticed we have 300+ visitors at all times and they are all doing constant loads of the same page. Here's a snippet from our apache log:

CODE

202.99.29.27 - - [09/Mar/2009:15:31:08 -0500] "GET /forum/index.php?act=Members HTTP/1.1" 302 226 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
24.76.239.196 - - [09/Mar/2009:15:31:08 -0500] "GET /forum/index.php?act=Members HTTP/1.1" 302 226 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
218.22.177.234 - - [09/Mar/2009:15:31:08 -0500] "GET /forum/index.php?act=Members HTTP/1.1" 302 226 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
24.83.40.206 - - [09/Mar/2009:15:31:08 -0500] "GET /forum/index.php?act=Members HTTP/1.1" 302 226 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"

These requests are all coming from different IP's, however the all have the same signature: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)

Has anyone seen this with their forum/site before? Also, anyone have any ideas on how the culprits are doing this? I don't have a lot of experience with being DoS'd...thankfully.

James Jhurani

Mar 11 2009, 04:15 PM

QUOTE (CyberSEAL @ Mar 9 2009, 03:32 PM)

CODE

It could be proxies, or drones. If you use mod_rewrite, make a rewrite rule for that specific user-agent, redirect them somewhere nice =).

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.