Hello,
Earlier today someone or a random script picked up a background image of my site and started sending a get_request every second to view this image which was causing my server to use all my bandwidth and GPUs. I have since taken this image off my server so now when you go to the image URL you get the 404 error, but since this is being requested a couple times a second every second it is still using up a lot of Bandwidth and GPUs. I've tried to block the IPs as you showed in your guide but everytime I do the script requesting the URL changes and requests it from a new URL.

Below is a line from my system log of what it looks like, I get this over and over again for every second as it shows everytime it tries to request this Background image url.

99.156.210.146 - - [08/Oct/2009:19:00:04 -0700] "GET /kozenguide.com/wp-content/themes/kozenguide/images/secondarybg.png HTTP/1.1" 404 19218 "-" "-"

Is there a way to block everyone from accessing this URL on my site kozenguide.com/wp-content/themes/kozenguide/images/secondarybg.png this way the script even though they may change IPs still won't be able to access this URL which then would stop the problem. Or if this would even stop the problem?

If anyone knows what I could do to stop what ever this is from requesting this url on my site so many times please let me know. Thanks

try this:


RewriteCond %{REMOTE_ADDR} 99.156.210.146
RewriteRule .* - [F,L]


http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewritecond

best regards

Blocking the IP won't do anything as this attack is switching their IP address every 10 mins. I guess this has been happening to a lot of sites of similar content of mine and some are calling it a DDOS attack, and believe its coming from china.

Have any of you guys heard of this or know now to stop it? I'm using a wordpress site also.

Blocking the IP won't do anything as this attack is switching their IP address every 10 mins. I guess this has been happening to a lot of sites of similar content of mine and some are calling it a DDOS attack, and believe its coming from china.

Have any of you guys heard of this or know now to stop it? I'm using a wordpress site also.
that's something else then you ask, :)

best regards

If you were to put in a rewrite rule, it still means Apache has to process the request, which is still an overhead. Apache is reasonably resilient at handling massive amounts of requests, but DDoS/Slow Loris type attacks can be a pain in the butt that you can do little about. Returning a 404 or 403 is probably the best you can do as far as Apache goes. Really you want to replace the content being sought by something very quick to serve. I would also suggest you make sure the directive KeepAlive is set to Off if it applies to you:

http://perl.apache.org/docs/1.0/guide/performance.html#KeepAlive

Other than that, it's IP rate control with something like IPTables or the front end firewall (but you may not have access to it).