DDOS attack

[fastproxy]

Hi,

I am being attacked by botnet and Litespeed cant stand.
log:

xxx.187.164.74 - - [19/Mar/2008:23:12:04 -0500] "GET /?do=login&801120790 HTTP/1.1" 403 381 "http://www.geocities.jp/iphonevn2007/bonus.ini" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; MEGAUPLOAD 2.0)"


I tried to block referer from geocities.jp, but it does not help.

Any idea?

 

[mistwang]

Use mod_security rule + CSF to block them automatically.

 

[fastproxy]

Hi,

can yoi please please be more specific on what rule to use?

Thanks

 

[fastproxy]

Now they use POST

xxxxxxxxxxxx - - [20/Mar/2008:10:06:47 -0500] "POST /forum/?199904685 HTTP/1.1" 403 381 "http://www.geocities.jp/iphonevn2007/bonus.ini" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; MEGAUPLOAD 1.0; Zango 10.3.36.0)"

 

[mistwang]

You need to find out the pattern of the attack and create custom mod_security rule.

 

[fastproxy]

The pattern is that they all have the same referer from http://www.geocities.jp/iphonevn2007/bonus.ini

How can i block this using security rule? I used .htaccess to block all referer from www.geocities.jp but it does not stop.

 

[vivek]

Some kind of same problem is with me also,
Rootkit install attempts, Apache + Modsec+ CSF is blocking all such attempts ,but when I change to litespeed, it is not blocking ( I am not getting the mails from CSF when such attempts are blocked)