How to Stop “Bandwidth Raping”

Well Im sure all of you have heard about this now, idiots using sites like gigaloader and other vampire scripts in order to take down a website. Usually attacks originating from chan boards and similar online groups.

It is fairly easy to stop these type attacks, its very very easy to stop them using litespeed but you can maintain with apache. If you have apache you need mod_security. This method will also work with certain .htaccess rules and more complex mod_security rules but I find this the easiest way.

Most of them will use gigaloader right off. Now you can request domains be blacklisted from it but wont do you much good while you are under heavy attack. But first go to where the access.log for the atatcked domain is. For example in directadmin would be /etc/httpd/logs/domains/domain.log, cpanel would be /usr/local/apache/domlogs/domain.log

Here is the first mod_security rule to add before even checking the logs. You simply place this in your mod_security rules file or in the module area in httpd.conf

SecFilterSelective “HTTP_REFERER” “(giga|gigaloader.com|gigaloader)”

Then tail -f domain.log of attacked domain. You should see gigaloader getting 403s. Then you may see some other bandwidth attacking scripts from free sites or other domains.

When you see the attacks originating from other domains, add another rule like the first one

SecFilterSelective “HTTP_REFERER” “(newdomains.com|new.com|newdomains)”

Of course where you see the new you put the domain of the attacking script.

You can also block user agents with mod security and htaccess rules as well. But I find these rules work good when you are in a hurry. It can be a bitch to handle these types of attacks on apache. With litespeed you can eat these type of attacks all day and wouldnt hurt anything.