Hello all, first quickly I'm sorry if this is the wrong place, but it seemed the most appropriate usenet group.
My server is currently receiving a barrage of requests straight for the largest files (videos) on my web server, which was causing the server to become dreadfully slow to respond (at least a minute before it hints a response) and sometimes not even at all.
This is the 3rd day it's been going on.
I've been keeping track of stats from the bots for the last 16 hours...
- Requests were from 845 different IP addresses
- Nearly all the IP addresses are from China
- 30,377 requests for video files (not the video pages)
- 40 distinct video files were requested
- One host made 13,000 requests within those 40 files.
I'm running a dedicated server.
I've had a few similar "attacks" (or algorithm malfunction?) in the past, but it was only by 3 or 4 different IP addresses and so it was easy enough to just block them using iptables.
The only way I'm able to block the current "attack" and get these stats is that for some reason they all have the same referer:
If the requests didn't have this referer, I would not have a way to block these requests and my server would be beaten to a pulp. Right now I'm redirecting any request with that referer to my logger script.
Any ideas of a better way to solve this once and for all? I'm passively blocking them, but they are still trying to jam the same requests down my server's throat. And I'm afraid that they'll get rid of the referer if I try any sort of active block rather than my passive method, and I'll be screwed.
The IP addresses also seem to be from several different hosts (judging from the whois data), so it's not exactly easy to inform them all...
An example of one of the bots from the access_log:
211.139.255.10 - - [06/May/2008:22:45:31 -0400] "GET /videos/content/ 439_poppy2606.wmv HTTP/1.1" 403 317 "Any tips at all?
Thanks in advance!!
- Richard