How can I stop a bot attack on my site?

Posted by tnorthcutt on Pro Webmasters See other posts from Pro Webmasters or by tnorthcutt
Published on 2010-07-28T15:58:45Z Indexed on 2012/12/13 11:21 UTC
Read the original article Hit count: 271

Filed under:

htaccess

|

botattack

I have a site (built with wordpress) that is currently under a bot attack (as best I can tell). A file is being requested over and over, and the referrer is (almost every time) turkyoutube.org/player/player.swf. The file being requested is deep within my theme files, and is always followed by "?v=" and a long string (i.e. r.php?v=Wby02FlVyms&title=izlesen.tk_Wby02FlVyms&toke).

I've tried setting an .htaccess rule for that referrer, which seems to work, except that now my 404 page is being loaded over and over, which is still using lots of bandwidth. Is there a way to create an .htaccess rule that requires no bandwidth usage on my part?

I also tried creating a robots.txt file, but the attack seems to be ignoring that.

#This is the relevant part of the .htaccess file:
RewriteCond %{HTTP_REFERER} turkyoutube\.org [NC]
RewriteRule .* - [F]

© Pro Webmasters or respective owner

Related posts about htaccess

Seeking htaccess help: Converting multiple subdomains (both http and https) to www.domain.com using .htaccess

as seen on Pro Webmasters - Search for 'Pro Webmasters'
I've been trying to get an answer to this question on other forums (the folks at SuperUser thought this was the place I needed to post) and via my connections, but I haven't gotten very far. Hopefully you guys can help me find an answer: I've got a dozen old subdomains that have been indexed by Google… >>> More
Disable .htaccess or disable some rules from .htaccess on specific URL

as seen on Server Fault - Search for 'Server Fault'
I have Kerberos-based authentication and I want to disable it on only root url: mysite.com/. And I want it to works fine on any other page like mysite.com/page1. I have such things in my .htaccess: AuthType Kerberos AuthName "Domain login" KrbAuthRealms DOMAIN.COM KrbMethodK5Passwd on Krb5KeyTab… >>> More
.htaccess Permission denied. Unable to check htaccess file

as seen on Server Fault - Search for 'Server Fault'
Hi, I have a strange problem when adding a sub-domain to our virtual server. I have done similar sub-domains before and they have worked fine. When I try to access the sub-domain I get an 403 Forbidden error. I checked the error logs and have the following error: pcfg_openfile: unable to check… >>> More
.htaccess Permission denied. Unable to check htaccess file

as seen on Server Fault - Search for 'Server Fault'
I have a strange problem when adding a sub-domain to our virtual server. I have done similar sub-domains before and they have worked fine. When I try to access the sub-domain I get an 403 Forbidden error. I checked the error logs and have the following error: pcfg_openfile: unable to check htaccess… >>> More
Permission denied: /home/.htaccess pcfg_openfile: unable to check htaccess file

as seen on Server Fault - Search for 'Server Fault'
This domain was working this morning, now I get a 403 error and the message above in my error log. I'm not using .htaccess files but I have been doing some copy on the server so may have messed things up but no changes to this domain (unless by accident!). What is this pcfg_openfile thing anyway? Done… >>> More

Related posts about botattack

What is the most time-effective way to monitor & manage threats from bots and/or humans?

as seen on Pro Webmasters - Search for 'Pro Webmasters'
I'm usually overwhelmed by the amount of tools that hosting companies provide to track & quantify traffic data and statistics. I'm equally overwhelmed by the countless flavors of malicious 'attacks' that target any and every web site known to man. The security methods used to protect both… >>> More
Adsense click bot is click bombing my site

as seen on Pro Webmasters - Search for 'Pro Webmasters'
I have a site that get's roughly 7,000 - 10,000 page views per day right now. Starting around 1 AM on 7/1/12 I noticed the CTR was rising dramatically. These clicks would be credited then de-credited soon after. So, they were obviously fraudulent clicks. The next day I had about 200 clicks in… >>> More
Receiving requests where absolute URL on page are morphed to relative URLs

as seen on Pro Webmasters - Search for 'Pro Webmasters'
In our web pages, we have a hyperlink with an href to an absolute URL: https://some.other.host.com/blah.aspx?var1=val1&var2=val2 For some reason, in our logs, we see a lot of requests to URLs of this format: http://our.site.com/https:/some.other.host.com/blah.aspx?var1=val1&var2=val2 We… >>> More
Spam bot constantly hitting our site 800-1,000 times a day. Causing loss in sales

as seen on Pro Webmasters - Search for 'Pro Webmasters'
For the past 5 months our site has been receiving hits from these 4 sites below; sheratonbd.com newsheraton.com newsheration.com newsheratonltd.com Typically the exact url they come from looks something like this; http://www.newsheraton.com/ClickEarnArea.aspx?loginsession_expiredlogin=85 The… >>> More
Why are we being twitter spammed?

as seen on Pro Webmasters - Search for 'Pro Webmasters'
This is a search relating to us: https://twitter.com/#!/search/realtime/scirra We're getting a of of new accounts tweeting: The Layers Bar - Scirra.com Firstly this is not us doing it as we're quite proud of doing everything completely whitehat. Also this tweet doesn't make any sense, "The Layers… >>> More