How can I block traffic by refferrer? [Archive] - Parallels Server Products Forums

acidbox

29th November 2005, 04:59 PM

Our server is getting slammed daily by this asian search engine. I don't know where it's coming from. but it's not even finding legitimate results.

It's gotten to the point where its affecting the performance of our server because Apache is handling so many requests from this damn place, it's almost like a DOS attack.

The clients are all different, but the one thing in common is the refferer. Take a look at this error log:

[Tue Nov 29 16:06:53 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%CB%D1%FD%3B%B8%C9%3B%C4%D0%C8%CB&url=http%3A//67%2E15%2E185%2E119/our1/redirect%2Ephp%3Ffid%3D144%26tid%3D27949%26goto%3D nextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:53 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%CB%D1%FD%3B%B8%C9%3B%C4%D0%C8%CB&url=http%3A//67%2E15%2E185%2E119/our1/redirect%2Ephp%3Ffid%3D144%26tid%3D27949%26goto%3D nextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:54 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%CB%D1%FD%3B%B8%C9%3B%C4%D0%C8%CB&url=http%3A//67%2E15%2E185%2E119/our1/redirect%2Ephp%3Ffid%3D144%26tid%3D27949%26goto%3D nextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:54 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%CB%D1%FD%3B%B8%C9%3B%C4%D0%C8%CB&url=http%3A//67%2E15%2E185%2E119/our1/redirect%2Ephp%3Ffid%3D144%26tid%3D27949%26goto%3D nextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:54 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%CB%D1%FD%3B%B8%C9%3B%C4%D0%C8%CB&url=http%3A//67%2E15%2E185%2E119/our1/redirect%2Ephp%3Ffid%3D144%26tid%3D27949%26goto%3D nextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:54 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%CB%D1%FD%3B%B8%C9%3B%C4%D0%C8%CB&url=http%3A//67%2E15%2E185%2E119/our1/redirect%2Ephp%3Ffid%3D144%26tid%3D27949%26goto%3D nextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:55 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%CB%D1%FD%3B%B8%C9%3B%C4%D0%C8%CB&url=http%3A//67%2E15%2E185%2E119/our1/redirect%2Ephp%3Ffid%3D144%26tid%3D27949%26goto%3D nextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:55 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%CB%D1%FD%3B%B8%C9%3B%C4%D0%C8%CB&url=http%3A//67%2E15%2E185%2E119/our1/redirect%2Ephp%3Ffid%3D144%26tid%3D27949%26goto%3D nextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:56 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%CB%D1%FD%3B%B8%C9%3B%C4%D0%C8%CB&url=http%3A//67%2E15%2E185%2E119/our1/redirect%2Ephp%3Ffid%3D144%26tid%3D27949%26goto%3D nextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:56 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%CB%D1%FD%3B%B8%C9%3B%C4%D0%C8%CB&url=http%3A//67%2E15%2E185%2E119/our1/redirect%2Ephp%3Ffid%3D144%26tid%3D27949%26goto%3D nextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:57 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%CB%D1%FD%3B%B8%C9%3B%C4%D0%C8%CB&url=http%3A//67%2E15%2E185%2E119/our1/redirect%2Ephp%3Ffid%3D144%26tid%3D27949%26goto%3D nextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:57 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%CB%D1%FD%3B%B8%C9%3B%C4%D0%C8%CB&url=http%3A//67%2E15%2E185%2E119/our1/redirect%2Ephp%3Ffid%3D144%26tid%3D27949%26goto%3D nextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:57 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%CB%D1%FD%3B%B8%C9%3B%C4%D0%C8%CB&url=http%3A//67%2E15%2E185%2E119/our1/redirect%2Ephp%3Ffid%3D144%26tid%3D27949%26goto%3D nextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:57 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%CB%D1%FD%3B%B8%C9%3B%C4%D0%C8%CB&url=http%3A//67%2E15%2E185%2E119/our1/redirect%2Ephp%3Ffid%3D144%26tid%3D27949%26goto%3D nextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:58 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%CB%D1%FD%3B%B8%C9%3B%C4%D0%C8%CB&url=http%3A//67%2E15%2E185%2E119/our1/redirect%2Ephp%3Ffid%3D144%26tid%3D27949%26goto%3D nextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:58 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%CB%D1%FD%3B%B8%C9%3B%C4%D0%C8%CB&url=http%3A//67%2E15%2E185%2E119/our1/redirect%2Ephp%3Ffid%3D144%26tid%3D27949%26goto%3D nextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:59 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%CB%D1%FD%3B%B8%C9%3B%C4%D0%C8%CB&url=http%3A//67%2E15%2E185%2E119/our1/redirect%2Ephp%3Ffid%3D144%26tid%3D27949%26goto%3D nextnewset&b=0&a=13&user=baidu

Is there a way I can block access to the server by checking the referrer and block them if they come from that domain?

Thanks for the help.

ShadowMan

29th November 2005, 09:01 PM

mod_security - According to gotroot.com, their ruleset:
Comment spam rules

These rules exclusively block comment and referer spam. If you want to block spam on your server, then you should use these rules.
As of right now, their list is:
20051129-01: Web Application protection
20051129-01: Bad UserAgents blocking
20051129-01: Comment spam blacklist
20051129-01: Compromised/Hacker boxes blacklist
20051111-01: Anti-Proxy protection
20051111-01: Additional Apache 2.x rules
20051120-01: Known rootkits/worms
20050905-01: Rule Exclusions
20051129-01: Blacklist of known attackers/spammers

On most of our US servers, we do mod_security and block entire ranges of China (CN) and be done with it...

acidbox

4th December 2005, 02:12 PM

I'd like to do just that. I currently have mod_security 1.9 installed. Do you have any sample code or a good tutorial that covers how to do this?

Thanks!