0

Yesterday I noticed in our apache logs that there is someone constantly accessing our website, sometimes 5 times a second or so, and sometimes once in 5 seconds. However, it's happening 24 hours a day. This has been going on for 5 days now and I think it's enough. The problem is that his IP seems to change almost every day. It's always in the following Chinese subnet:

112.94.*.*

As I do not want to block that huge range of IP addresses, what would be the best way to prevent this person from doing what he is doing?

Chris
  • 135
  • 5

1 Answers1

4

Block his subnet.

Unless you can nail down something more specific. It could be a search engine and it may be possible to see it on the browser identification string.

But if you do not find something more specific - it is block the subnet time.

TomTom
  • 51,649
  • 7
  • 54
  • 136
  • Thanks for your reply. The user agent is pretty unique I think: "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.97 Safari/537.22" I don't think it's a solid solution to block the connection based on user agent though, so I will go for your solution for now, thank you. – Chris Jan 19 '14 at 12:12
  • 2
    Actually it is. BLock all requests from the network block that come ONLY with this agent and you are less blocking than a pure IP block ;) – TomTom Jan 19 '14 at 14:27
  • Couple of things to note: 1) this UA was *very* common around 8 months ago (around 10% of my traffic) but it's unusual now as Chrome auto-upgrades itself. 2) Blocking by user agent needs to be imlpemented high in the stack (e.g. on the webserver) rather than iptables (the latter is possible - but messy) 3) you should already be running fail2ban if you can profile unwelcome traffic in realtime. – symcbean Jan 19 '14 at 15:50