UNWANTED Million+ hits a day on my geolocation script

So years ago I wrote a quick little brower info and geolocation CGI script. The number of hits a day is typically in the hundreds or low thousands ... but it has been dramatically climbing in the last month and is now average a MILLIONS hits/day.

The source is a wide range of IP address with no referrer/user-agent info ... so my guess is some sort of virus has an embedded "wget" call to my CGI for some misc. info ... and it continues to spread based on the increasing number of IP's and hits I'm seeing. Since I'm fairly certain it is an embedded program calling this page, there really is no point in showing ads/whatever. Read more details on this page

Any clever ideas on how to handle this short of tossing a 404 back?

 

I'm actually DROPPING the requests currently (based on no User-Agent) so a 404 is going back to these guys for the last couple of weeks - i.e. there has been nothing for them to scrape! But if my guess is right that it is an embedded virus, it just keeps trying and since it is spreading, the number of inbounds continues.

I'm using mod_rewrite in the httpd.conf file, so I can't redirect/drop 'em much earlier than that ... just annoying to have all these requests come in.

 

Yep - it follows a 301 ... my guess is there isn't too many "smarts" in this "virus program," so if it is going a curl/wget, it just ends up getting whatever the web server ends up returning.

 

One way to fight automated scripts like these is to use this technique:

1. When you receive a request for the page that has the form to enter the initial data (IP address, etc), calculate the following value:

random-number, current-timestamp, md5(random-number, current-timestamp, some-secret)

2. Encode this data as a string and return it with the form as a hidden field

3. When the form is submitted, a legitimate browser will submit this string and your script will validate the value first by computing the hash and then will make sure that the timestamp is only 1-2 minutes old (whatever time you think is reasonable to fill out and submit the form)

This should stop all current attempts, until whatever does this smartens up and starts submitting these values.

J.D.

 

I could do all that if this was a "normal human" DDoS ... but it really appears to be machine/program generated ... so what is annoying is that even with the page 404'ed (which I have done), the 1,025,898 (>10/second) incoming requests yesterday generate a lot og log entries - actually two now that it is 404'ed - one in the access_log and one in the error_log ... before, I just 301'ed to a non-existant domain. And since the number of inbound IP's number in the thousands, it would be a challenge to block by IP - heck, the people at those machines probably don't even know this is going on.

More info and data here where I discuss doing at the host network/firewall level ... or better yet, seeing if my ISP can filter a specific URL at their border router.

 

How about killing your site? Change it to another subdomain like safe.yourdomain.com and kill the regular www. Then just redirect your front page to the new site for your regular visitors.