How can I block a user agent?
So far I've tried:
$HTTP["useragent"] =~ "CLR 1.0.3705" {
url.access-deny = ( "" )
}
to deny access to the useragent "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; .NET CLR 1.0.3705)" however it doesn't work.
Is there some kind of wildcard I can put in place and is url.access-deny
used correctly to block the user?
on 19.04.2006 01:33
on 19.04.2006 02:13
Michael Fuita wrote: > How can I block a user agent? > > So far I've tried: > > $HTTP["useragent"] =~ "CLR 1.0.3705" { > url.access-deny = ( "" ) > } > > to deny access to the useragent "Mozilla/4.0 (compatible; MSIE 6.0; > Windows NT 5.1; .NET CLR 1.0.3705)" however it doesn't work. > > Is there some kind of wildcard I can put in place and is url.access-deny > used correctly to block the user? Wouldn't the best way to do this be by using mod_redirect, and redirect all the requests to some page explaining why they have been denied access? Ofcourse, you could deny access to this specific file you are redirecting to, if you don't want your users to know why they are being blocked...
on 19.04.2006 02:23
Thomas Bergheim wrote: > Michael Fuita wrote: >> How can I block a user agent? >> >> So far I've tried: >> >> $HTTP["useragent"] =~ "CLR 1.0.3705" { >> url.access-deny = ( "" ) >> } >> >> to deny access to the useragent "Mozilla/4.0 (compatible; MSIE 6.0; >> Windows NT 5.1; .NET CLR 1.0.3705)" however it doesn't work. >> >> Is there some kind of wildcard I can put in place and is url.access-deny >> used correctly to block the user? > > Wouldn't the best way to do this be by using mod_redirect, and redirect > all the requests to some page explaining why they have been denied > access? > > Ofcourse, you could deny access to this specific file you are > redirecting to, if you don't want your users to know why they are being > blocked... I'm getting ddosed by a whole botnet right now with the useragent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705). So it doesn't really matter where those requests are lead to, I would prefer a blank page as it uses the less bandwidth but how could I get it working? My problem is most probably unable to use the $host['useragent'] to find the useragent properly. And I think it could be from the way I wrote it.
on 19.04.2006 12:35
Michael Fuita wrote: > I'm getting ddosed by a whole botnet right now with the useragent > Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705). > So it doesn't really matter where those requests are lead to, I would > prefer a blank page as it uses the less bandwidth but how could I get it > working? If someone has the "savvy" to control a ddos-botnet, surely that person can also change the UA-string at will, possibly realtime. It is very simple to do (Opera can do it in an ini-file, wget has an option to set the UA to whatever you want, etc). There are much better ways of handling this, see for instance http://httpd.apache.org/docs/trunk/misc/security_tips.html or check up on iptables if you are on linux. You can "easily" make iptables drop connections if they occur abnormally frequently from an ip, which is a much better way than what you are doing (although it has it's own flaws - use it too agressively and you can end up blocking out a whole company if they have enough people and use NATing). Also, although I have no experience with it, you might want to check out "mod_evasive". > My problem is most probably unable to use the $host['useragent'] to find > the useragent properly. And I think it could be from the way I wrote it. Your useragent is fine, the deny-string isn't; url.access-deny = ( "" ) is the same as the default, and it matches nothing (and hence denies nothing). I am not sure what you have on your server, but surely url.access-deny = ( "/", ".php", ".html", ".inc", ".gif", ".png", ".jpg", ".jpeg", ".css", ".js" ) matches most of it. As far as I know, you can't wildcard or anything here, so you have to match things explicitly. You could also redirect it to a webserver doing nothing...
on 19.04.2006 13:45
Thomas Bergheim wrote: > > If someone has the "savvy" to control a ddos-botnet, surely that person > can also change the UA-string at will, possibly realtime. It is very > simple to do (Opera can do it in an ini-file, wget has an option to set > the UA to whatever you want, etc). > > There are much better ways of handling this, see for instance > http://httpd.apache.org/docs/trunk/misc/security_tips.html or check up > on iptables if you are on linux. You can "easily" make iptables drop > connections if they occur abnormally frequently from an ip, which is a > much better way than what you are doing (although it has it's own flaws > - use it too agressively and you can end up blocking out a whole company > if they have enough people and use NATing). > > Also, although I have no experience with it, you might want to check out > "mod_evasive". > Yes I've that enabled as well, so far since it's a botnet which is doing the ddos attack it comes from differnet ips so it's pretty much impossible to use iptables or mod_easive to do that job as it only blocks out too many connections to the server. Thanks for the info and I'll try it out tonight. :)
on 19.04.2006 15:01
Michael Fuita wrote: > Yes I've that enabled as well, so far since it's a botnet which is doing > the ddos attack it comes from differnet ips so it's pretty much > impossible to use iptables or mod_easive to do that job as it only > blocks out too many connections to the server. Yeah? How many clients are doing this? If someone has 100 zombies, and hits you once a second with each one, that wouldn't normally be nearly enough to bring down a site. However, if it is, just set the agressiveness appropiately. If it only comes from 10 cuncurrent users with a dynamic ip it should be much easier to detect. Of course, this problem is still a "problem" because there might be 10 000 zombies and then you are in trouble almost no matter what tool you are using. Blocking subnets etc can help, but that probably means blocking legitimate users as well.. > Thanks for the info and I'll try it out tonight. :) Sure, good luck!
