A month ago I noticed hike in hits on my forum, from 1500-2000 a day to 8000-10000+. Without any visible change in hosts, registrations or activity on the forum. After looking through the counter stats, and raw access logs, it looks like one single IP keeps knocking into the forum's root - http://forum.xxxxxxx.org here's a typical raw access log line: 85.xxx.xxx.xxx - - [12/Jan/2010:16:23:30 -0500] "GET /?sid=580eccd99d3830f0b109d1d797b4742d HTTP/1.1" 200 26067 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.2.15 Version/10.10" Code (markup): I pulled all lines for this IP from raw access log to see what resources are being accessed (this is for half day log): 4332 / 4 /viewforum.php 4 /favicon.ico 4 /images/rss-feed-10x10.png 4 /viewtopic.php 3 /templates/NoseBleed/NoseBleed.css 3 /templates/NoseBleed/NoseBleed.js 2 /templates/NoseBleed/translit2.js 2 /templates/NoseBleed/sel2reply.js 2 /templates/NoseBleed/show_layer.js 1 /viewonline.php 1 /login.php 1 /index.php Code (markup): Thus, single "user" (script i assume) just keeps accessing the root, where is just list of forum sections, no other content. As I understad it's too few hits for a typical DDoS attack, even though at some point phpBB2 (updated to the latest version) was giving up with error about too many DB connections - I saw it once myself, even though noone complaned yet. they're no accessing login.php, so it's not bruteforce password trys. and viewtopic.php isn't accessed, so it's not content stealing. so what's going on? what they could possibly want, and how would I fight it? I did blocked the IP once, but the next day it resumed with different IP from different country. Though, I blocked it again last night, and it seems to stop for now.
Hopefullu your visitor doesn't read this forum or locate this thread through some form of ESP # deny blank referrer only IF UA contains Opera or Presto RewriteEngine on RewriteCond %{HTTP_REFERER} ^$ RewriteCond %{HTTP_USER_AGENT} (Opera|Presto) RewriteRule .* - [F] (please note; a denial of access will not prevent the requests from appearing in your raw logs, however the 403 will show).
Those terms were included in flamey's UA line. "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.2.15 Version/10.10" You may add/include as many different terms within the parentheses and separated by the or pipe-character (|) as you desire, however you may want to add the no-case flag [NC] at the end of the line. This is simply an example of multi-condition rewrites. There are endless possibilities configurable for individual needs. In addition it should be clarified that the example I provided ONLY denys UA's with either of those terms included and REQUIRES the Refer to be blank.