0

A server I run is currently getting spammed... hard...

The IPs are changing every few requests. The server is now returning 403s for anything POSTed at /contact/, but the spammy script/bot is still hitting the server hard–taking up resources and bandwidth...

My NGINX log is showing this like 50 times a minute: 

123.456.789.012 - - [Month/Day/2020:13:37:05 -0500] "GET /contact/ HTTP/1.1" 200 5057 "-" "-"
123.456.789.012 - - [Month/Day/2020:13:37:04 -0500] "POST /contact/ HTTP/1.1" 403 580 "https://example.com/contact/" "User Agent String"

1.) How can I block GETs w/ no user agents? (anything that has no referral or user agent "-" "-", I'm assuming that's pretty unique to whatever script/bot the spammer is using.
2.) Am I correct in thinking that by blocking the GET, it'll get rid of the POST? 3.) Are there any other ways to handle this flood of requests or do I have to just wait until the attacker gets bored and turns off the script/bot(s)?

jon.s
  • 165
  • 1
  • 2
  • 16
  • This may be on the right track: https://stackoverflow.com/questions/15599544/how-to-block-specific-human-looking-user-agent-in-nginx but can I use "-" as the user agent? – jon.s Mar 31 '20 at 21:06

1 Answers1

0

Nginx has some decent rate limiting built in, you can configure it based on any variable available within Nginx so you could apply it to individual IP addresses, a range of IPs, any of the request headers or whatever.

You can apply limits only in certain locations, choose how to handle requests over the limit etc etc

Check out the guide here for some examples.

miknik
  • 5,748
  • 1
  • 10
  • 26