Excessive GET HTTP requests -- any way to block?

Post Reply
sneader
Junior Member
Posts: 84
Joined: 22 Mar 2007, 05:38

Excessive GET HTTP requests -- any way to block?

Post by sneader »

Seems that certain WordPress sites on our server are under some type of attack. Even password protecting the /wp-admin directory has no effect in their efforts. Here is a log snippet for just 3 seconds of activity:

74.50.26.15 - - [14/Mar/2013:05:37:13 -0500] "GET /wp-admin/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
74.50.26.15 - - [14/Mar/2013:05:37:13 -0500] "GET /wp-admin/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
74.50.26.15 - - [14/Mar/2013:05:37:13 -0500] "GET /wp-admin/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
74.50.26.15 - - [14/Mar/2013:05:37:14 -0500] "GET /wp-admin/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
74.50.26.15 - - [14/Mar/2013:05:37:14 -0500] "GET /wp-admin/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
74.50.26.15 - - [14/Mar/2013:05:37:14 -0500] "GET /wp-admin/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
74.50.26.15 - - [14/Mar/2013:05:37:15 -0500] "GET /wp-admin/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
74.50.26.15 - - [14/Mar/2013:05:37:15 -0500] "GET /wp-admin/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
74.50.26.15 - - [14/Mar/2013:05:37:15 -0500] "GET /wp-admin/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

I've tried using PORTFLOOD and CONNLIMIT, but they are not helping. Any ideas?

- Scott
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: Excessive GET HTTP requests -- any way to block?

Post by ForumAdmin »

As it seems to be a search engine bot, maybe a robots.txt would suffice:
http://www.robotstxt.org/robotstxt.html
sneader
Junior Member
Posts: 84
Joined: 22 Mar 2007, 05:38

Re: Excessive GET HTTP requests -- any way to block?

Post by sneader »

Hi Jonathan. Unfortunately, it's not a real robot, they are faking it. The reverse DNS for this IP maps to a Lunar Pages hosting server, not Microsoft. I highly doubt they will respect the robots.txt. Any other ideas appreciated.

- Scott
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: Excessive GET HTTP requests -- any way to block?

Post by ForumAdmin »

A ModSecurity rule of some sort that triggers csf LF_MODSEC is probably the only way to stop this type of attack
sneader
Junior Member
Posts: 84
Joined: 22 Mar 2007, 05:38

Re: Excessive GET HTTP requests -- any way to block?

Post by sneader »

Darn, I was hoping that either PORTFLOOD or CONNLIMIT would be useful here, and that I was just doing it wrong.

- Scott
Post Reply