RSS RSS feed | Atom Atom feed

Shotty uptime for the past week

For the past week, I've noticed that my site was going down every couple hours and I'd have to restart JBoss in order to get it to come back. Being in busy mode all week, I didn't have time to figure out why. Yesterday, I spent 10 minutes digging around in my logs to find out that some asshat(borrowed from Hani) was hitting my server every couple milliseconds requesting my blog as an attempt to infect me with tons of referral spam. My poor server was crashing with out of memory errors at a record pace and it was getting worse and worse by the minute. His calls were coming in from 2 distinct IP Addresses (217.23.176.2 , 217.23.177.249), both of which originate in Russia. To get around this, I configured iptables to DROP packets from these addresses. All is fine since. The thing that concerns me is that this is quite the reactive approach and could start again at any moment. Thanks to the free service provided by SiteUptime, I get a text message sent to my cell phone when my site goes down. This will help a bit. What I'd like to do is write some sort of script to learn what ip addresses might be doing this, add their ip on the fly and restart iptables. If this becomes a problem, I'll look into this more.

So the moral of the story is that if you are pathetic enough to inject referral spam, I hope you die a long painful death in the dungeons of hell. In the meantime, I will ignore you with the help of iptables.

Tags :
Responses[1] RSS feed for responses to this blog entry
Posted by Mike Shoemaker on June 30, 2005 8:17:17 AM CDT #


Reply

Re: Shotty uptime for the past week

Comment from Bryce on July 1, 2005 1:16:59 PM CDT #
I had the exact same problem, but unfortunately, since you're not using Apache as a front end, it won't apply. But just in case, I've come across a helpful apache trick using mod_rewrite in my adventures on the web. This trick will filter out based on domain or based on referer url. Any domain or referer matching any of the rules will receive a 403 error.


In my httpd.conf file, I have:
RewriteEngine On
RewriteMap domain prg:/home/httpd/amnesiac.net/url-to-domain.pl
RewriteMap referer-deny txt:/home/httpd/amnesiac.net/refererdom.deny
RewriteCond %{HTTP_REFERER} !="" RewriteCond ${referer-deny:${domain:%{HTTP_REFERER}}|NOT-FOUND} !=NOT-FOUND RewriteRule ^/.* - [F,L] Include /home/httpd/amnesiac.net/blacklist.txt


I have a file called refererdom.deny that includes all the domains I want to blacklist:
optinpr.com -
travelnow.com -
web-promotion.net -
skipme.com -
payshots.com -
maturex3.com -
cryguy.com -
pornwizzard.com -


A file called blacklist.txt contains:
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)adult(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)anal(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)mature(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)nude(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)porn(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?payshots.*$
RewriteRule .* - [F,L]


There's Perl script that is used here to pull domain names out of urls:
#!/usr/bin/perl -wlp

# url-to-domain.pl # TGM 2004-04-18 # # Returns the domain part of URLs: # # htt p://www.mydomain.com/blah -> mydomain.com # http://www.mydomain.com -> mydomain. com

BEGIN { $| = 1 }

s{^http://}{}; # strip http:// prefix
s{/.*}{}; # strip pathname after hostname
s{^.*\.([^.]+\.[^.]+)$}{$1}; # convert hostname into domain


Hope that helps!

Add a comment