Bandwidth Suckers - how to block?

Help!

Going through some logs and I've noticed already on a number of sites where I'm getting 5000+ hits and bandwidth being sucked up

200MB+ at a time ... sites are not graphic heavy.

Any way to deny or stop this? .htaccess?

culprit: back*ndhost. com


Did a search on Google & they're all over the place in ppl's logs

http://www.google.com/search?hl=en&q=backendhost&btnG=Google+Search

 

no

have a reseller account with mutiple domains
WHM cPanel

 

Thanks - I figured that as well

.htaccess is the only defence for now ...

... unless I wrote a re-direction script that cooked their server!

 

Your cpanel should have one or more utilities for blocking the IP. Very easy to use.

 

It never will - they will simply drop your replies. What kind of activity you see from them in the logs?

J.D.

 

I was joking about the re-direct ... not worth the effort, plus I wouldn't know how....

Under AWSTATS, under hosts, for one of the accounts I'm seeing on one day:


ns1.back*ndhost.com
Pages Hits MB
6327 6327 141.78 MB
server.back*ndhost.com
Pages Hits MB
6156 6156 137.97 MB

 

It's about 1.5 KB/s - not something you'd expect from a single client, unless they are a proxy of some kind. This doesn't show the pattern, though. Knowing the pattern makes it easier to deal with things like this. I would look through the logs - this may help you figure out whether it's some kind of an automated tool or a bunch of people behind a proxy.

J.D.

 

How would you block it on IIS6?

Kind regards

Kurt Moskjaer Andersen
www.moskjaer.dk

 

Website Properties > Directory Security > IP address and domain name restrictions > Edit

 

Sorry to bump up this thread, but I have exactly that problem. SOmeone is taking all my BW.

With CPanel, what can I do precisely? How do I block IPs?

The culprits appear to be Websense, CA and The Planet, TX

Raw Logs appear to be a GZ file, how do I read that?

Thanks for any help...!

 

Here are some guides to get you on your way with Cpanel. I am assuming that you have root access to the server or you would not be asking these questions to a forum. If you do not have root access to the machine your hosting company should be able to help you block networks, if not you need a new host ASAP.


Cpanel Newbie Guide

Apache Log Files Explained .... this one is in the related articles at the bottom of the above page, but just in case you don't read it all the way though, your Gzip file question should be answered.

The EV1 Servers forum for Cpanel ..... This is a great resource for Cpanel.

Good luck!

 

Thank you mate!

Very kind and fast!

 

I stopped 3 different IPs through CPanel, but I wonder what's the point of doing that to my little site!?!?
What is there to gain?

 

Good links thanks!

In my case it was the blog app that i had running ... B2Evo ... I was getting hits from pharma sites and they were showing up in the refferer lists, which were displayed on the site. I ended up taking the blog section down. After that, bandwidth came back to normal

 

I understand that, pure SPAM.

But that's not my case as they aren't getting any links from my site.

I wonder what else it could be...

 

If you want to get to the bottom of this, you can filter your log to include only the offending IP address and then run the log through a log analysis tool (e.g. Webalizer). This will give you their access pattern (access times, access URLs, etc). This may show you what they were after (e.g. frequent access to certain files, such as login page, may indicate an attempt to break into your control panel).

You can use grep (Linux) or findstr (Windows) to filter the logs.

J.D.

 

Anyway, I kept denying IPs but the site is down.

I really don't know what to do.

I upgraded the account twice but I can't carry on. They get to my BW limit until the site is down. Move my site?

Is that the only solution to the problem?

 

* Get your logs and extract them from the archive (e.g. gunzip logfilename.gz)

* Run a log analyzer on the extracted logs and see which IP addresses pump more data. There are three possible scenarios - a) a small group of IPs used to hit your website (e.g. all from the same ISP), which will indicate that most likely some individual is after you or b) many, many IPs are hitting your website, which may indicate a distributed attack. This one is hard to deal with; c) your website is just *that* popular or you have too many files or your graphics are too large;

+ in the first case, blocking the offending IP addresses should remedy the problem. In those cases when IP addresses are from the region you don't care much about, you can block the entire ISP).

+ if your content is too big for your bandwidth, configure your website to use compression and caching

+ a distributed attack is not something that can be easily advised on

* once you get the IPs, you can filter the logs by IP address and see usage patterns. This may help you to figure out what to do with them (e.g. somebody who requests same file over and over again over a short period of time and without following any links on your website can be blocked; if somebody just going from a page to a page, like reading a forum, you just need to configure your website to better deal with this)

J.D.