How can I block all HEAD requests to urls that contain a substring on Apache?

Question

A server I administer is being pounded with a poorly coded AWS-built bot that switches IPs constantly and appears to be stuck in a recursive encoding loop. The only consistent fingerprint I can see is that each request is only a HEAD request and each request appears to re-encode the previous one. So http://someurl.com/?foo=%25bar becomes ..%2525.. becomes ..%252525.. ... %2525252525252525...x1000.

Here's an example of the types of requests I see:

HEAD http://example.com/?foo=%25bar
HEAD http://example.com/?foo=%2525bar
HEAD http://example.com/?foo=%252525bar
HEAD http://example.com/?foo=%25252525bar
HEAD http://example.com/?foo=%2525252525bar
HEAD http://example.com/?foo=%2525252525...25bar (x1000)

So far I've been using Cloudflare firewalls to block each IP, but they keep switching IPs.

How can I simply block all HEAD requests containing a substring (say %25252525)?

I'm running Apache/2.4.6 (CentOS).

https://aws.amazon.com/forms/report-abuse – Michael Hampton Feb 11 '17 at 19:16 — Michael Hampton, Feb 11 '17 at 19:16
Submitted the abuse report. Thanks @MichaelHampton – Ryan Feb 11 '17 at 20:18 — Ryan, Feb 11 '17 at 20:18

score 1 · Accepted Answer · answered Feb 11 '17 at 19:00

1

How about using mod_rewrite in your .htaccess?

<IfModule mod_rewrite.c>
    RewriteCond %{REQUEST_METHOD} HEAD
    RewriteCond %{QUERY_STRING} 25252525
    RewriteRule .* - [F,L]
</IfModule>

That will block all HEAD requests with a query string containing "25252525". Obviously you can tune this more as you see fit!

answered Feb 11 '17 at 19:00

cerberus

322
3
8

Assuming I did that, would these requests still show up in my apache access_log? Because the request still happened. It was just handled with the rewrite. In other words, how will I know this is successful? Just hit the append a url with `25252525` to see what happens? – Ryan Feb 11 '17 at 20:01
So far, that's exactly what is happening. I still see requests for `2525` and `252525` in my logs. But now all `25252525` (and more`25`s) are no longer being recorded in my logs. Looks to be successful. Thank you! – Ryan Feb 11 '17 at 20:30
Of course!! If you want more control over logging though, you can redirect to rsyslog. With that, you have a great deal of control over log entries to discard. But it sounds like it's all under control now. – cerberus Feb 12 '17 at 00:18

How can I block all HEAD requests to urls that contain a substring on Apache?

1 Answers1