The DDoS!

Its being couple of days maxgrab.org is getting Continious DDoS! I got a mail from my hosting provider that they wont be able to support us any more b/c of there server being tear down because of the DDoS.. duhhhh we had to move and now we are on some hosting St0L3n provided me up

With first they promised to give us root but they didnt !! anyways “Mufta kaisa bhi ho lai laina chaiye”. they provided us with ssh access though so as soon as i restored it the attack started once again i was looking over access log and found out a particular pattern for the request

ip70-171-112-215.no.no.cox.net – - [15/Feb/2008:12:02:25 +0000] “GET /index.php HTTP/1.1″ 200 – “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”

erm!! it makes me wonder how can i stop it with limited power in my hand . Fired up google
took a look over .htaccess it allows you to ban the ip how about adding DDoSers ip on the fly..

So what i did was to add a file name filter.php above index.php

this is how it looks like

<?php

class Filter {

private $RequestString;
private $RequestType;
private $RequestUseragent;
private $ReqStrmatch = false;
private $ReqTypematch = false;
private $Requsermatch = false;
// Requested String matched the pattern
function FilterRequestString() {
$rcvReqstring = $_SERVER['REQUEST_URI'];
if ( ereg($this->RequestString,$rcvReqstring))
$this->ReqStrmatch = true;
}
// Requested Type matched the pattern
function FilterRequestType() {
$rcvReqstring = $_SERVER['REQUEST_METHOD'];
if ( ereg($this->RequestType,$rcvReqstring))
$this->ReqTypematch = true;
}
// Requested Useragent matched the pattern
function FilterRequestUseragent() {
$rcvReqstring = $_SERVER['HTTP_USER_AGENT'];
if ( ereg($this->RequestUseragent,$rcvReqstring))
$this->Requsermatch = true;
}
// Filter Constructor.
function __construct($ReqString,$ReqType,$ReqUseragent){
$this->RequestString = $ReqString;
$this->RequestType= $ReqType;
$this->RequestUseragent = $ReqUseragent;
}
// — Constructor
function FilterIT() {
$this->FilterRequestString();
$this->FilterRequestType();
$this->FilterRequestUseragent();
if (($this->ReqStrmatch) && ($this->ReqTypematch) && ($this->Requsermatch) )
{
// if we are here we got a bad bad request.!
$this->block($_SERVER['REMOTE_ADDR']);
}
return;
}
function block($ip) {

$array = file(“.htaccess”);
$a = array_pop($array);
array_push($array,”deny from “.$ip);
array_push($array,$a);
// Trim whitespace from each line (i.e., array element).
$array = array_map(‘trim’, $array);
// Remove duplicate lines.
$array = array_unique($array);
// Join the lines, separated by “\n”, into a single string.
$data = implode(“\n”, $array) . “\n”;
// Write the string into $datafile.
file_put_contents(“.htaccess”, $data);
}
}
$abc = new Filter(“^/index.php$”,”GET”,”^Mozilla/4.0 \(compatible; MSIE 6.0; Windows NT 5.1\)$”);
$abc->FilterIT();

?>

Now as soon as a request arrives it got filtered and if its one of the DDoSer ip it gets added in the htaccess file.

Keep in mind the structure of the .htaccess should be like

<Limit GET POST>

order allow,deny

allow from all

deny from abc.com

</Limit>

This is what i can do best !! but again.. no hardcore solution available yet!

~ by azimyasin on February 16, 2008.