Latest Announcemnent
New thread

Block most DDoS using htaccess file!

Status
Not open for further replies.
L

l0calh0st

Active Member
4,052
2010
713
0
Hey, I found this on the net and wanted to share this with you all:

Lately, it seems DDOS attacks have become a more popular way for a tech savvy customer or competitor to attempt a bit of revenge. I’ve consulted on several emergency projects within the past month in which a client’s server – web sites creating sales of over $100,000 per day – were brought down for hours or days due to a DDOS attacks that are easily mitigated with the proper techniques.
Distributed denial of service or “DDOS†attacks are quite common. Larger companies with hefty CPUs and server bandwidth often notice it only as a spike in hits. Small businesses notice it when their site goes offline, email stop coming in, and revenue comes to a screeching halt!
Here are some of the basic Linux security tools & techniques I use to help clients bring their servers back online.
An effective .htaccess file is the fastest and most direct approach to mitigating DDOS attacks. It is important to browse to your server after editing your .htaccess file as any mistake in syntax can cause a 500 error for everyone attempting to access your site.
Here is the template .htaccess file I use:

Code: 
# BEGIN .HTACCESS FILE
# The following lines use the Apache mod rewrite module to redirect certain web queries to where you want them to go. This is an effective security tool as well as great for the user experience in many cases. If you are using lighthttpd or are not using mod_rewrite with Apache the below "rewrite" lines do nothing.
 
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
 
# Example Redirects
# Redirect /this-is-the-shortcut http://yourdomainhere.com/whatever/long-URL/you-want-to-redirect-to/with-that-shortcut-goes-here
# Redirect /myaccount http://yourdomainhere.com/memberaccounts/accountlogin.php
# It is important for server performance to order your .htaccess "deny from" and "allow from" statements with deny first, then allow after all of the deny directives.
 
order deny,allow
# The following regional blacklists are from http://www.wizcrafts.net/russian-blocklist.html as of 1-14-2010
# Nigerian/African 419 Scammers IP addresses follow:
deny from 12.166.96.32/27 41.138.160.0/19 41.184.0.0/16 41.189.0.0/19 41.189.32.0/19 41.190.88.0/22 41.191.84.0/22 41.191.108.0/22 41.194.52.0/22 41.202.0.0/17 41.202.128.0/19 41.202.192.0/19 41.203.96.0/19 41.203.224.0/20 41.204.0.0/17 41.204.128.0/18 41.204.224.0/19 41.205.0.0/19 41.205.64.0/19 41.205.160.0/19 41.207.0.0/19 41.207.160.0/19 41.207.192.0/19 41.208.48.0/23 41.208.128.0/18 41.210.0.0/18 41.210.192.0/18 41.211.0.0/19 41.211.192.0/18 41.214.0.0/17 41.215.160.0/20 41.217.0.0/17 41.218.192.0/18 41.219.128.0/17 41.220.0.0/16 41.221.160.0/20 41.222.0.0/21 41.222.24.0/21 41.222.40.0/21 41.222.64.0/21 41.222.192.0/22 41.223.24.0/22 41.223.64.0/22 41.223.248.0/22 41.248.0.0/16 41.250.0.0/16 61.11.230.112/29 62.56.128.0/17 62.56.235.0/24 62.56.236.0/24 62.56.244.0/22 62.56.248.0/24 62.128.160.0/20 62.173.32.0/19 62.192.128.0/19 62.192.140.250 62.193.160.0/19 63.70.178.0/24 63.73.58.0/24 63.100.193.0/24 63.103.138.0/24 63.103.139.64/26 63.103.140.0/22 63.109.245.168/29 63.109.247.0/24 63.109.248.128/25 63.122.154.0/24 64.14.48.128/26 62.24.96.0/19 64.86.155.0/24 64.86.210.0/23 64.110.30.0/24 64.110.31.0/24 64.110.64.16/28 64.110.76.0/23 64.110.81.0/24 64.110.93.16/28 64.110.93.176/28 64.110.147.0/24 64.201.33.0/24 65.120.56.0/21 65.209.91.0/24 65.209.92.0/24 66.18.64.0/19 66.110.31.0/24 66.178.0.0/17 66.199.241.82 66.205.20.0/24
deny from 77.70.128.0/24 77.70.129.0/26 77.70.137.0/25 77.70.138.0/23 77.73.184.0/21 77.220.0.0/20 78.138.2.0/24 78.138.3.200/29 78.138.3.208/28 78.138.3.224/28 78.138.8.8/29 78.138.32.32/27 78.138.33.144/29 80.78.16.168/29 80.78.16.176/28 80.78.16.192/28 80.78.17.0/24 80.78.18.88/29 80.78.18.96/27 80.78.18.128/29 80.78.19.16/29 80.78.19.104/29 80.78.19.112/28 80.78.23.16/28 80.87.64.0/19 80.88.128.0/20 80.88.129.0/24 80.88.130.0/24 80.88.131.0/24 80.88.132.0/26 80.88.132.64/27 80.88.132.104/29 80.88.132.128/26 80.88.132.192/27 80.88.132.224/28 80.88.132.240/29 80.88.133.0/25 80.88.134.0/26 80.88.134.64/29 80.88.135.0/24 80.88.136.0/24 80.88.137.0/24 80.88.138.0/25 80.88.138.128/26 80.88.138.192/27 80.88.139.0/25 80.88.139.128/26 80.88.139.192/27 80.88.139.224/28 80.88.140.0/24 80.88.141.0/25 80.88.141.128/27 80.88.142.0/24 80.88.143.128/24 80.88.144.0/23 80.88.146.0/24 80.88.147.0/24 80.88.148.0/24 80.88.149.0/25 80.88.149.128/26 80.88.149.192/28 80.88.150.0/24 80.88.151.0/24 80.88.152.0/24 80.88.153.0/24 80.88.154.32/27 80.88.154.72/29 80.88.154.80/29 80.88.154.96/28 80.88.155.0/25 80.88.155.128/27 80.88.155.160/29 80.89.176.0/24
deny from 80.179.102.0/24 80.179.107.64/27 80.179.107.224/29 80.179.128.0/17 80.231.4.0/23 80.240.192.0/20 80.247.136.0/24 80.247.137.0/24 80.247.141.32/27 80.247.141.64/26 80.247.141.128/25 80.247.142.0/24 80.247.147.16/28 80.247.147.32/29 80.247.147.64/27 80.247.147.96/28 80.247.151.0/24 80.247.153.0/24 80.247.156.0/26 80.247.156.128/28 80.247.157.0/24 80.247.159.0/24 80.248.0.0/20 80.248.64.0/23 80.248.70.0/20 80.248.64.0/20 80.250.32.0/20 80.255.40.48/28 80.255.40.96/29 80.255.40.112/28 80.255.40.128/28 80.255.40.192/28 80.255.40.224/27 80.255.40.240/28 80.255.41.160/28 80.255.43.0/24 80.255.46.0/29 80.255.46.16/28 80.255.46.64/29 80.255.58.160/27 80.255.58.192/26 80.255.59.19 80.255.59.232/29 80.255.59.240/29 80.255.61.0/25 81.18.32.0/20 81.18.40.0/24 81.18.42.0/24 81.23.194.0/27 81.23.194.64/27 81.23.194.128/25 81.23.195.0/24 81.23.196.0/25 81.23.196.128/29 81.23.200.0/21 81.24.0.0/20 81.91.224.0/20 81.199.0.0/16 82.128.0.0/17 82.205.242.0/23 83.137.59.8/29 83.137.61.0/24 83.138.167.40/29 83.229.0.0/17 84.254.188.3 84.254.128.0/18
deny from 155.239.0.0/16 192.116.64.0/18 192.116.128.0/18 192.116.152.0/21 192.118.71.0/24 193.93.96.0/22 193.95.0.0/17 193.110.2.0/23 193.189.0.0/18 193.189.64.0/23 193.189.128.0/24 193.194.64.0/19 193.219.192.0/18 193.220.0.0/16 193.220.26.0/24 193.220.30.0/26 193.220.30.64/27 193.220.31.0/26 193.220.31.64/27 193.220.45.0/25 193.220.47.0/25 193.220.77.0/26 193.220.187.0/26 193.220.187.128/27 195.8.22.0/24 195.10.109.192/26 195.24.192.0/19 195.44.168.0/21 195.44.176.0/21 195.137.13.0/24 195.137.14.0/24 195.166.224.0/19 195.214.240.0/21 195.219.176.0/24 195.225.62.0/23 195.245.108.0/23 196.0.0.0/16 196.1.176.0/20 196.3.60.0/22 196.3.180.0/22 196.20.0.0/19 196.29.96.0/19 196.29.216.0/21 196.29.224.0/20 196.44.96.0/19 196.45.192.0/18 196.46.240.0/21 196.128.0.0/10 196.192.0.0/12 196.208.0.0/14 196.212.0.0/14 196.220.0.0/19 198.54.0.0/16 204.16.124.0/22 204.118.170.0/24 206.113.97.0/24 208.70.0.0/21 208.78.56.0/21 209.88.163.0/24 209.101.84.0/24 209.159.160.0/20 209.198.240.0/23 209.198.242.16/28 209.198.242.96/29 209.198.242.104/30 209.198.242.108/31 209.198.242.128/27 209.198.246.240/28 212.49.64.0/19 212.52.128.0/19 212.60.64.0/19 212.85.192.0/19 212.96.0.0/19 212.100.64.0/19 212.165.128.0/17 212.165.132.64/27 212.165.135.0/24 212.165.140.16/29 212.165.140.64/26 212.165.140.128/25 212.165.141.0/24 212.165.147.0/26 212.165.147.128/26 212.165.183.0/24 212.199.108.0/24 212.199.251.0/24 212.247.93.0/24
deny from 213.136.96.0/19 213.140.62.0/23 213.150.192.0/23 213.154.64.0/19 213.166.160.0/19 213.181.64.0/19 213.185.96.0/21 213.185.106.0/24 213.185.112.0/24 213.185.113.0/26 213.185.113.64/27 213.185.113.96/27 213.185.118.160/27 213.185.118.192/26 213.185.124.0/24 213.187.135.0/24 213.187.145.0/24 213.211.128.0/18 213.211.188.0/24 213.232.96.0/24 213.255.193.0/24 213.255.194.0/24 213.255.195.0/24 213.255.198.0/24 213.255.199.0/24 216.72.104.0/21 216.74.187.0/24 216.118.252.0/24 216.118.253.0/24 216.118.254.0/24 216.129.147.128/28 216.129.159.0/24 216.133.174.0/24 216.139.160.0/19 216.147.132.144/28 216.147.132.160/28 216.147.134.0/24 216.147.159.0/24 216.185.79.0/24 216.236.200.96/28 216.236.202.96/28 216.236.205.0/24 216.236.222.128/26 216.250.195.0/27 216.250.195.64/26 216.250.221.0/24 216.250.222.0/24 216.252.176.0/24 216.252.177.0/24 216.252.231.0/25 216.252.245.0/24 217.10.163.128/26 217.10.163.192/27 217.10.163.224/27 217.10.166.0/26 217.10.166.64/28 217.10.169.0/24 217.10.170.0/24 217.10.171.0/24 217.10.173.0/26 217.10.182.0/27 217.10.184.0/24 217.14.80.0/20 217.15.124.0/25 217.20.240.0/20 217.20.241.0/25 217.20.241.128/29 217.20.241.136/29 217.20.241.144/28 217.20.241.160/29 217.20.241.168/29 217.20.241.176/29 217.20.241.184/29 217.20.241.192/29 217.20.241.200/29 217.20.241.208/29 217.20.242.0/24 217.20.243.16/28 217.20.243.32/27 217.21.64.0/19 217.78.64.0/20 217.117.0.0/20 217.146.3.144/28 217.146.3.160/28 217.146.3.176/29 217.146.3.224/27 217.146.4.64/26 217.146.5.0/24 217.146.6.0/25 217.146.6.160/27 217.146.7.0/24 217.146.8.0/25 217.146.9.0/24 217.146.10.128/25 217.146.11.0/25 217.146.12.0/24 217.146.13.0/24 217.146.14.0/25 217.146.15.0/25 217.146.16.0/27 217.146.16.32/29 217.168.112.0/20 217.194.140.0/22 217.194.144.0/20 217.199.144.0/20 217.212.242.0/23
# Pretoria Z.A. Used by some lottery scammers. Block these CIDRs if you get scammers from Pretoria, but no legit visitors!
deny from 41.241.0.0/16 41.242.0.0/16 41.243.0.0/16 41.245.0.0/16 41.246.0.0/16
# Johannesburg, Gauteng, South Africa
deny from 41.26.0.0/16 41.28.0.0/16 41.112.0.0/12 165.146.0.0/18
# Algeria
deny from 41.200.0.0/15 193.194.64.0/19
# Morocco
deny from 41.140.0.0/14
# Added Goldenlines.net.il (Israel) because of Open Proxies used by Nigerian scammers
deny from 80.179.244.0/24
# Amsterdam, The Netherlands - DSL-NAT Customers and web hosting clients - Lottery and 419 scammers
deny from 62.59.36.0/22 62.59.40.0/21 62.59.48.0/22 79.170.90.0/24 82.93.0.0/16 82.168.0.0/14 85.92.141.0 87.249.104.0/23 194.60.207.0/24
# Freenet in Germany (freenet.de); Used as spam relay by many Nigerian scammers, in March, 2008.
# Choose one of the following CIDRs:
# Narrow freenet.de CIDR, used by recent scammers:
deny from 195.4.92.0/23
# Full Freenet.de CIDR:
deny from 195.4.0.0/16
# ISPs in Spain, France and Italy, used by many expatriot Nigerian lottery and 419 scammers (Cableuropa, Ibercom, Ono.com, Telefonica)
deny from 62.42.0.0/16 80.13.0.0/16 80.24.0.0/16 80.25.0.0/16 80.36.0.0/14 81.34.0.0/16 81.45.0.0/16 81.202.0.0/15 82.63.128.0/18 82.90.0.0/15 82.194.64.0/19 82.196.0.0/19 83.54.0.0/16 84.120.0.0/13 85.39.0.0/16 85.91.64.0/19 88.0.0.0/11 88.202.124.0/27 89.141.0.0/17 91.142.208.0/20 147.83.0.0/16 147.96.0.0/16 193.252.22.0/24 195.53.0.0/16 195.55.0.0/16 212.121.224.0/19 213.4.0.0/16 213.194.128.0/18 213.194.144.0/20
# 193.252.22.0/24 = orange.fr, in Paris, France. Constant 419 scams coming from their email servers!
# Costa Rica exceptions:
allow from 196.40.0.0/18 196.40.64.0/19
# 2009 Nigerian/African ISP additions/subtractions below:
# Jan 23: Removed 80.255.59.0/24 and replaced it with 80.255.59.232/29 and 80.255.59.240/29 to finetune block to just Nigeria
# Jan 26: Added 41.205.0.0/19 in Cameroon, used by Nigerian 419 scammers against a dating forum
# Feb 1: Added 41.208.48.0/24 in South Africa, after repetitive 419 scams
# Mar 8: Added 41.215.160.0/20 in Ghana for 419 scams
# Mar 11: Added 78.138.32.32/27 ipmath.com and SkyVision, in Nigeria
# Mar 26: Added 41.221.160.0/20 Swift Network in Nigeria
# Mar 26: Expanded CIDR 41.208.48.0/24 to 41.208.48.0/23, after tracing 419 scam email
# Mar 31: Added 41.202.192.0/19 in Cameroon, for 419 scamming
# Apr 8: Added 147.96.0.0/16 in Spain, due to 419 lottery scams
# Apr 11: Added 81.202.0.0/15 in Spain, for spamming
# Apr 19: Added 196.212.0.0/14 is.co.za, in Johannesburg, South Africa, due to 419 scammers
# May 1: Added 82.196.0.0/19 in France, due to 419 scams
# May 2: Added 41.184.0.0/16 in Nigeria
# May 12: Added 196.46.240.0/21 vmobile-nigeria.com, for scamming
# May 18: Added 80.24.0.0/16 in Spain, for server exploit attacks
# May 19: Added 82.90.0.0/15 in Italy, for spamming
# May 23: Added 81.45.0.0/16 in Spain, for spamming
# May 28: Added 41.190.88.0/22 in Ghana, for scamming
# May 30: Added 41.191.108.0/22 Suburban Telecom in Abuja, Nigeria
# May 31: Added 41.210.192.0/18 Angola, for scam emails
# June 2: Added 83.54.0.0/16 in Spain, due to Nigerian 419 scammers operating in Spain
# June 23: Added 82.63.128.0/18 Italy - Interbusiness.it, for spamming
# June 25: Added 41.222.0.0/21 in Uganda (main blocklist)
# July 2: Added 91.142.208.0/20 in Madrid, Spain, for spamming
# July 9: Added 41.189.0.0/19 in Nigeria, for spamming forums
# July 9: Added 41.205.64.0/19 in Cameroon, for spamming forums
# July 10: Added 41.218.192.0/18 in Ghana, for spamming
# July 13: Added 41.191.84.0/22 in Benin, for 419 scammers
# July 19: Added 195.55.0.0/16 in Spain, due to Nigerian 419 scammers
# July 22: Added 41.26.0.0/16 in Johannesburg, Gauteng, South Africa, due to 419 scammers
# Aug 12: Added 78.138.8.8/29 in Nigeria
# Sept 25: Added 41.194.52.0/22 Cobranet in Nigeria
# Sept 26: Added 41.222.192.0/22 in Benin, due to 419 scammers
# Sept 28: Added 65.120.57.51 Netcomng in Nigeria. Used by loan spam sender. CIDR added below on 12/25/2009
# Oct 20: Added 79.170.90.0/24 to the Amsterdam, The Netherlands blocklist, due to 419 scammers
# Oct 20: Added 78.138.3.200/29 78.138.3.208/28 78.138.3.224/28 in Nigeria, for the usual 419 scams
# Oct 24: Added 194.60.207.0/24 - XL-IS, to the Netherlands blocklist, due to 419 scammers using it.
# Nov 14: Added 78.138.33.144/29 - Ipmath in Abuja, Nigeria. This is leased from sky-vision.net satellite service
# Nov 19: Added 41.28.0.0/16 - Vodacom - under the category: "Johannesburg, Gauteng, South Africa"
# Nov 23: Added 41.138.160.0/19 - VisaFone Communications, in Lagos, Nigeria, for 419 scams
# Dec 16: Added 212.52.128.0/19 - Burkina Faso Onatel - for 419 scams
# Dec 25: Expanded a NetcomNG (Nigeria) CIDR to 65.120.56.0/21 due to numerous 419 scams from those IPs
##### 2010
# Jan 5: 41.112.0.0/12 Johannesburg - lottery and 419 scammers
# Jan 10: 41.140.0.0/14 Morocco (New group) - 419 scammers
# End Nigerian/African blocklist
## BEGIN ASIAN BLACKLIST
# Chinese IP addresses follow:
deny from 58.17.0.0/16 58.20.0.0/16 58.21.0.0/16 58.22.0.0/15 58.37.0.0/16 58.38.0.0/16 58.56.0.0/15 58.58.0.0/16 58.59.0.0/17 58.60.0.0/14 58.82.0.0/15 58.208.0.0/12 58.246.0.0/15 58.248.0.0/13 59.32.0.0/13 59.40.0.0/15 59.42.0.0/16 59.52.0.0/14 59.56.0.0/13 59.108.0.0/15 60.0.0.0/13 60.12.0.0/16 60.28.0.0/15 60.160.0.0/11 60.194.0.0/15 60.208.0.0/13 60.216.0.0/15 60.220.28.0/22 61.4.64.0/20 61.48.0.0/13 61.128.0.0/10 61.135.0.0/16 61.145.73.208/28 61.160.0.0/16 61.162.0.0/15 61.164.0.0/16 61.179.0.0/16 61.183.0.0/16 61.184.0.0/16 61.185.219.232/29 61.188.0.0/16 61.191.0.0/16 61.232.0.0/14 61.236.0.0/15 110.96.0.0/11 111.0.0.0/10 112.0.0.0/10 112.64.0.0/14 113.0.0.0/13 114.104.0.0/14 114.216.0.0/13 114.224.0.0/11 115.24.0.0/15 115.48.0.0/12 115.100.0.0/15 116.1.0.0/16 116.2.0.0/15 116.4.0.0/14 116.8.0.0/14 116.76.0.0/15 116.208.0.0/14 117.21.0.0/16 117.80.0.0/12 118.112.0.0/13 118.132.0.0/14 118.144.0.0/14 119.0.0.0/13 119.8.0.0/15 119.10.0.0/17 119.18.192.0/20 119.120.0.0/13 119.128.0.0/12 119.144.0.0/14 119.164.0.0/14 120.0.0.0/12 121.0.16.0/20 121.8.0.0/13 121.16.0.0/12 121.32.0.0/14 121.76.0.0/15 121.204.0.0/14 122.51.128.0/17 122.64.0.0/11 122.198.0.0/16 122.200.64.0/18 122.230.0.0/16 123.4.0.0/14 123.52.0.0/14 123.97.128.0/17 123.100.0.0/19 123.112.0.0/12 123.128.0.0/13 123.232.0.0/14 124.42.64.0/18 124.64.0.0/15 124.114.0.0/15 124.128.0.0/13 124.163.0.0/16 124.200.0.0/13 124.236.0.0/14 124.248.0.0/17 125.40.0.0/13 125.80.0.0/13 125.88.0.0/13 125.115.0.0/16 159.226.0.0/16 202.66.0.0/16 202.96.0.0/12 202.96.128.0/18 202.108.0.0/16 202.111.160.0/19 202.114.64.0/20 203.69.0.0/16 203.93.0.0/16 203.169.160.0/19 210.5.0.0/19 210.14.128.0/19 210.21.0.0/16 210.51.0.0/16 210.52.0.0/15 210.192.96.0/19 211.76.96.0/20 211.78.208.0/20 211.90.0.0/15 211.136.0.0/13 211.144.12.0/22 211.144.160.0/20 211.147.208.0/20 211.152.14.0/24 211.154.128.0/19 211.155.24.0/22 211.157.32.0/19 211.160.0.0/13 211.233.70.0/24 218.0.0.0/11 218.56.0.0/13 218.64.0.0/11 218.96.0.0/14 218.102.0.0/16 218.104.0.0/14 218.194.80.0/20 218.240.0.0/13 219.128.0.0/11 219.232.0.0/19 219.154.0.0/15 220.160.0.0/11 220.181.0.0/16 220.192.0.0/12 220.228.70.0/24 220.248.0.0/14 220.250.0.0/19 220.252.0.0/16 221.0.0.0/12 221.122.0.0/15 221.176.0.0/13 221.192.0.0/14 221.200.0.0/14 221.208.0.0/14 221.212.0.0/16 221.214.0.0/15 221.216.0.0/13 221.224.0.0/13 221.228.0.0/14 221.238.0.0/15 222.32.0.0/11 222.64.0.0/12 222.80.0.0/12 222.132.0.0/14 222.136.0.0/13 222.166.0.0/16 222.168.0.0/13 222.172.222.0/24 222.176.0.0/13 222.184.0.0/13 222.241.0.0/19
# Hong Kong
deny from 58.65.232.0/21 59.148.0.0/15 123.242.229.0/24 202.69.64.0/19 202.85.128.0/19 202.133.8.0/21 210.176.0.0/19 210.176.48.0/20 210.176.64.0/18 210.176.128.0/17 210.177.0.0/16 218.103.0.0/16 218.252.0.0/14 219.76.0.0/14 222.166.0.0/16
# India and Pakistan
deny from 59.88.0.0/15 59.176.0.0/13 59.184.0.0/15 61.247.238.0/24 115.108.0.0/14 115.240.0.0/12 117.192.0.0/10 193.53.87.0/24 121.240.0.0/13 122.160.0.0/16 122.167.0.0/16 202.154.224.0/24 203.115.80.0/20 203.197.0.0/16 218.248.0.0/20
# Japan (hacking, scraping, or spamming)
deny from 59.146.0.0/15 118.13.128.0/17 118.86.0.0/15 122.208.0.0/12 123.216.0.0/13 150.70.84.41 210.248.0.0/13 218.225.179.0/24 219.94.128.0/17 219.96.0.0/11 221.121.160.0/20 222.144.0.0/13
# Korea IP addresses follow:
deny from 58.72.0.0/13 58.140.0.0/14 58.148.0.0/14 58.180.40.0/21 58.224.0.0/12 59.0.0.0/11 59.86.192.0/18 59.186.0.0/15 61.72.0.0/14 61.76.0.0/15 61.96.0.0/12 61.110.16.0/20 61.248.0.0/13 110.8.0.0/12 110.45.0.0/16 113.30.64.0/18 114.108.128.0/18 115.0.0.0/12 115.16.0.0/13 115.40.0.0/15 115.88.0.0/13 116.40.0.0/16 116.45.176.0/20 116.93.192.0/19 116.120.0.0/13 117.110.0.0/15 118.32.0.0/11 118.128.0.0/14 118.220.16.0/20 121.128.0.0/10 121.254.0.0/16 122.44.112.0/20 122.99.128.0/17 123.111.0.0/16 123.140.0.0/14 124.0.0.0/15 124.50.87.161 125.128.0.0/11 125.176.0.0/12 125.240.0.0/13 125.248.0.0/14 143.248.0.0/16 168.188.0.0/16 202.30.0.0/15 202.133.16.0/20 202.179.176.0/21 203.226.0.0/15 203.228.0.0/14 210.93.0.0/16 210.94.0.0/15 210.112.0.0/16 210.117.128.0/18 210.118.216.192/26 210.124.0.0/14 210.178.0.0/15 210.180.0.0/15 210.204.0.0/15 210.219.0.0/16 210.220.0.0/14 211.32.0.0/12 211.48.0.0/15 211.50.0.0/15 211.62.35.0/24 211.104.0.0/13 211.112.0.0/13 211.168.0.0/13 211.176.0.0/12 211.192.0.0/13 211.202.0.0/16 211.211.36.0/23 211.216.0.0/13 211.224.0.0/13 211.232.0.0/13 211.240.0.0/12 218.36.0.0/14 218.144.0.0/12 218.232.0.0/15 218.234.18.0/24 219.240.0.0/15 219.248.0.0/13 219.250.88.0/21 220.72.0.0/13 220.80.0.0/13 220.95.88.0/24 220.118.0.0/16 220.119.0.0/16 221.128.0.0/12 221.144.0.0/12 221.160.0.0/13 221.168.0.0/16 221.163.46.0/24 222.96.0.0/12 222.112.0.0/13 222.120.0.0/15 222.122.0.0/16 222.231.0.0/18 222.232.0.0/13
# Yahoo-Korea (provides free email services used by some spammers)
deny from 123.0.0.0/20
# Neighboring Asian countries:
# Malaysia
deny from 60.48.0.0/14 60.52.0.0/15 60.54.0.0/16 112.137.160.0/20 115.132.0.0/14 116.206.0.0/16 120.140.0.0/15 124.82.0.0/16 124.217.224.0/19 202.58.80.0/20 202.71.96.0/20 202.75.32.0/19 203.223.128.0/19 210.187.49.0/25 218.111.0.0/16 218.208.12.64/27
## END ASIAN BLACKLIST
## BEGIN EUROPEAN BLACKLIST
# Russia, Ukraine, Bulgaria, Czech Republic, Romania, Latvia, Estonia, Kazakstan, Moldavia/Moldova, Poland, Serbia, Siberia, Slovakia, Slovenia
deny from 62.16.96.0/19 62.64.64.0/18 62.69.0.0/19 62.76.126.0/24 62.85.0.0/17 62.133.128.0/19 62.141.64.0/18 62.168.224.0/19 62.182.104.0/21 62.213.64.0/18 62.233.142.0/26 70.85.189.224/29 77.37.128.0/17 77.41.0.0/17 77.43.128.0/17 77.45.128.0/17 77.51.0.0/18 77.51.64.0/18 77.75.8.0/21 77.79.244.0/22 77.87.152.0/21 77.88.0.0/18 77.91.224.0/21 77.94.124.0/22 77.120.0.0/14 77.221.128.0/19 77.222.128.0/19 77.233.160.0/19 77.234.0.0/19 77.234.192.0/19 77.244.208.0/20 78.26.128.0/18 78.36.0.0/15 78.85.0.0/16 78.96.0.0/15 78.106.0.0/15 78.108.176.0/20 78.109.16.0/20 78.110.48.0/20 78.110.160.0/20 78.129.128.0/17 78.157.128.0/19 79.98.208.0/21 79.99.216.0/21 79.111.0.0/16 79.120.0.0/17 79.126.0.0/18 79.136.128.0/17 79.139.128.0/17 79.140.64.0/20 79.140.160.0/20 80.48.0.0/13 80.71.240.0/20 80.73.64.0/21 80.77.80.0/24 80.82.160.0/20 80.85.176.0/20 80.86.96.0/19 80.86.240.0/21 80.91.160.0/19 80.93.48.0/21 80.233.128.0/17 80.235.0.0/17 81.5.96.0/20 81.9.0.0/20 81.16.80.0/20 81.19.64.0/19 81.21.0.0/20 81.30.176.0/20 81.88.208.0/20 81.89.112.0/20 81.90.224.0/20 81.94.32.0/20 81.95.144.0/20 81.176.0.0/15 81.181.16.0/22 81.195.0.0/16 81.196.0.0/16 81.200.0.0/20 81.222.128.0/20 82.76.0.0/14 82.103.64.0/18 82.114.224.0/19 82.138.6.128/25 82.138.32.0/19 82.140.64.0/18 82.144.192.0/19 82.146.56.0/21 82.151.112.0/21 82.160.203.0/24 82.179.0.0/16 82.199.96.0/19 82.204.128.0/17 83.19.145.232/29 83.102.128.0/17 83.148.64.0/18 83.166.192.0/19 83.167.96.0/19 83.170.192.0/18 83.174.192.0/18 83.219.129.0/24 83.222.0.0/19 83.222.160.0/19 83.222.192.0/19 83.229.128.0/17 83.237.0.0/16 84.17.0.0/19 84.21.64.0/19 84.51.64.0/19 84.253.64.0/18 85.14.35.0/24 85.21.0.0/16 85.29.192.0/18 85.90.192.0/19 85.93.32.0/19 85.93.128.0/19 85.94.0.0/19 85.94.32.0/19 85.112.112.0/20 85.113.128.0/19 85.121.180.0/23 85.140.0.0/15 85.142.0.0/15 85.192.60.0/23 85.204.24.0/23 85.207.0.0/16 85.249.0.0/16 85.255.0.0/20 85.255.112.0/20 86.34.0.0/16 86.35.0.0/21 86.35.128.0/17 86.55.120.0/22 86.57.128.0/17 86.125.88.0/21 86.127.19.0/24 87.99.64.0/19 87.103.192.0/20 87.103.208.0/20 87.110.0.0/16 87.117.0.0/18 87.118.128.0/18 87.119.224.0/19 87.120.16.0/20 87.204.0.0/15 87.226.0.0/17 87.242.116.0/23 87.248.160.0/19 87.251.128.0/19 87.253.192.0/19 88.81.248.0/21 88.147.128.0/17 88.200.128.0/17 88.201.128.0/17 88.205.128.0/17 88.212.192.0/18 89.20.128.0/19 89.21.128.0/19 89.28.0.0/17 89.32.152.0/21 89.33.72.0/21 89.35.64.0/21 89.37.144.0/21 89.38.112.0/20 89.38.128.0/21 89.41.176.0/20 89.44.142.0/23 89.104.64.0/19 89.106.96.0/19 89.108.64.0/19 89.108.120.0/22 89.109.0.0/18 89.110.0.0/18 89.110.64.0/18 89.111.160.0/20 89.111.176.0/20 89.113.72.0/21 89.114.54.0/23 89.121.128.0/17 89.122.0.0/16 89.123.0.0/16 89.136.0.0/15 89.149.0.0/17 89.165.128.0/17 89.175.0.0/16 89.178.0.0/15 89.186.0.0/19 89.187.48.0/23 89.187.128.0/19 89.190.224.0/19 89.208.160.0/19 89.212.64.0/18 89.218.0.0/16 89.222.128.0/17 89.223.0.0/17 89.239.128.0/18 89.251.96.0/20 89.253.0.0/18 90.150.112.0/20 90.150.128.0/20 90.151.128.0/20 90.156.128.0/17 90.176.0.0/13 91.76.0.0/14 91.122.0.0/16 91.123.0.0/19 91.124.0.0/16 91.135.192.0/22 91.143.160.0/20 91.149.157.0/24 91.149.180.0/24 91.189.80.0/21 91.189.128.0/21 91.191.64.0/18 91.192.68.0/22 91.193.140.0/22 91.194.10.0/23 91.197.128.0/22 91.200.228.0/22 91.200.232.0/22 91.203.4.0/22 91.203.92.0/22 91.205.124.0/22 91.206.200.0/23 91.206.226.0/23 91.207.4.0/22 91.207.60.0/23 91.208.228.0/24 91.211.64.0/22 91.211.68.0/22 91.212.41.0/24 91.212.65.0/24 91.212.198.0/24 91.212.226.0/24 91.213.33.0/24 91.213.121.0/24 92.36.0.0/17 92.46.0.0/15 92.48.126.128/25 92.48.201.0/26 92.50.128.0/18 92.53.104.0/22 92.80.0.0/14 92.82.0.0/16 92.83.0.0/16 92.84.0.0/16 92.112.0.0/15 92.114.128.0/17 92.124.0.0/14 92.241.160.0/19 92.244.224.0/19 92.255.0.0/16 93.80.0.0/15 93.84.0.0/15 93.86.0.0/15 93.92.32.0/21 93.99.0.0/16 93.113.27.0/24 93.120.128.0/18 93.159.0.0/18 94.25.0.0/17 94.26.0.0/17 94.50.0.0/15 94.73.192.0/18 94.79.0.0/18 94.100.181.128/25 94.103.80.0/20 94.176.96.0/24 94.178.0.0/15 94.188.0.0/17 94.189.128.0/17 94.229.65.160/27 94.230.0.0/20 94.247.0.0/21 95.24.0.0/13 95.52.0.0/14 95.64.128.0/17 95.108.128.0/17 95.132.0.0/14 95.168.160.0/19 95.188.0.0/14 141.85.0.0/16 158.197.0.0/16 160.99.0.0/16 188.24.0.0/14 188.120.32.0/20 188.131.0.0/17 192.129.3.0/24 193.19.244.0/22 193.25.112.0/23 193.37.138.0/24 193.37.156.0/23 193.39.113.0/24 193.47.166.0/24 193.77.64.0/18 193.108.38.0/23 193.108.248.0/22 193.178.144.0/22 193.178.228.0/23 193.200.50.0/23 193.223.101.0/24 193.227.226.0/23 193.230.232.0/24 193.238.128.0/22 194.0.88.0/22 194.29.60.0/22 194.44.36.0/24 194.85.88.0/21 194.85.128.0/19 194.102.114.0/24 194.114.144.0/22 194.160.0.0/16 194.176.176.0/24 194.181.0.0/16 194.186.0.0/16 194.187.108.0/22 195.2.96.0/19 195.2.240.0/23 195.2.252.0/23 195.3.148.0/22 195.5.116.0/23 195.28.32.0/19 195.34.224.0/19 195.42.160.0/19 195.60.174.0/23 195.88.32.0/23 195.93.218.0/23 195.93.218.0/24 195.95.218.0/23 195.95.228.0/23 195.112.96.0/19 195.116.0.0/16 195.128.16.0/22 195.128.48.0/21 195.131.0.0/16 195.137.200.0/23 195.138.64.0/19 195.138.198.0/24 195.170.192.0/19 195.189.246.0/23 195.190.13.0/24 195.208.0.0/15 195.209.32.0/19 195.209.224.0/19 195.216.243.0/24 195.225.64.0/22 195.225.176.0/22 195.239.0.0/16 195.242.98.0/23 195.242.232.0/22 195.244.128.128/25 195.245.112.0/23 195.245.208.0/24 204.9.184.0/21 212.1.224.0/19 212.9.224.0/19 212.24.32.0/19 212.33.224.0/19 212.44.64.0/20 212.44.80.0/22 212.44.128.0/19 212.58.192.0/19 212.92.128.0/18 212.96.160.0/19 212.118.32.0/19 212.158.160.0/20 213.25.0.0/16 213.35.224.0/23 213.91.128.0/17 213.140.96.0/19 213.141.128.0/19 213.142.192.0/19 213.154.192.0/19 213.156.192.0/24 213.170.64.0/19 213.186.192.0/19 213.215.64.0/18 213.233.101.0/24 213.242.12.0/22 213.248.0.0/18 217.12.112.0/20 217.12.240.0/20 217.16.16.0/20 217.18.240.0/20 217.20.160.0/20 217.23.128.0/19 217.27.144.0/20 217.28.208.0/21 217.65.208.0/20 217.67.16.0/20 217.77.208.0/20 217.106.0.0/15 217.114.224.0/20 217.146.240.0/20 217.147.0.0/19 217.149.240.0/20 217.173.64.0/20 217.174.96.0/20 217.197.240.0/20
# Turkey: web hosts and Turk Telekom customers - scammers, spammers, phishing websites and server script exploiters:
deny from 77.79.64.0/18 78.160.0.0/11 79.135.160.0/19 81.213.0.0/16 81.214.0.0/16 81.215.0.0/16 82.222.0.0/16 84.51.0.0/18 85.96.0.0/12 88.226.0.0/16 88.229.0.0/16 88.231.0.0/16 88.232.0.0/16 88.233.0.0/16 88.234.0.0/16 88.238.0.0/16 88.239.0.0/17 88.241.128.0/17 88.243.0.0/17 88.245.0.0/16 88.247.128.0/17 88.248.0.0/13 89.106.0.0/19 89.113.72.0/21 92.63.0.0/20 93.187.200.0/21 94.78.64.0/18 160.75.0.0/16 188.3.0.0/16 194.27.48.0/23 195.155.0.0/16 195.174.0.0/15 195.175.0.0/17 212.15.0.0/19 212.95.40.0/23 212.174.113.0/24 212.175.0.0/16
# German ISPs used by hackers and spammers including 1&1internet DE and Schlund & Partners
deny from 77.176.0.0/12 85.214.0.0/16
## END EUROPEAN BLACKLIST
# Add other blocked domain names or IP addresses here, starting with "deny from " without quotes
# blacklist of various individual DDOS IPs 1-15-2010
deny from 172.158.3.2 200.3.181.76 187.152.160.92 141.223.129.69 190.59.118.54
#deny from 120.60.0.0/19 95.56.59.0/19 61.6.202.0/19 218.186.8.0/19 195.229.235.0/19 218.186.8.0/19 195.229.235.0/19 195.229.235.0/19 209.94.196.0/19 192.100.176.0/19 61.0.0.0/19 115.0.0.0/19 78.0.0.0/19 80.0.0.0/19 116.0.0.0/19 188.0.0.0/19 217.0.0.0/19 196.0.0.0/19 118.0.0.0/19 86.0.0.0/19 63.0.0.0/19 93.0.0.0/19 210.0.0.0/19 94.0.0.0/19 124.0.0.0/19 58.0.0.0/19 92.0.0.0/19 77.0.0.0/19 203.0.0.0/.255 85.0.0.0/19 41.0.0.0/19 88.0.0.0/19 220.0.0.0/19 202.0.0.0/19 60.0.0.0/19 141.223.129.0/19 122.0.0.0/19 190.59.118.0/19 119.0.0.0/19 186.0.0.0/19 110.0.0.0/19 187.152.160.0/19 200.3.181.0/19 83.0.0.0/19 87.0.0.0/19 201.0.0.0/19 189.0.0.0/19 168.243.0.0/19 140.109.0.0/19 125.0.0.0/19 121.0.0.0/19 117.0.0.0/19 114.0.0.0/19 59.0.0.0/19 
# If you find that you need to poke a hole in the blocklist, for legitimate visitors, follow this example: allow from 123.456.789.0
# Real life example: Some forums have legitimate DSL customers in Mauritius, which is blocked by 196.0.0.0/9, in my blocklist.
# To allow 8192 of these folks in Mauritius, just add the following directive:
allow from 196.27.64.0/19
# Add "allow from" IP addresses, or CIDR Ranges, AFTER all of the "deny from" items, just before the closing Files tag.
#Overseas employee1 example
allow from 213.108.47.0/19
#Overseas employee2 example
allow from 112.198.193.0/19
# Everything not included within these deny from ranges is PERMITTED by the allow portion of the directive.
 
# This prevents web browsers or spiders from seeing your .htaccess directives:
 
deny from all
 
# End of .htaccess file

Note: add the code above into a .htaccess file and upload it to your root directory /public_html/

Source: http://joshua-mcclure.com/linux-ddos-defense-with-htaccess/
 
21 comments
I agree with Krun!x

DDoS attacks usually Target the servers shared IP address if the person knows what they are doing,
 
This thread fails, l0cal. A DDoS attack is usually on the server level. Your webserver is neither involved, nor can it do anything to mitigate it. If you're going to mitigate a DDoS attack, you need to drop packets originating from the abusing IP addresses.
 
To be honest, this is bullshit, won't mitigate a ddos attack, here's why:

Basically, in a ddos attack, you have the attacker, who has a whole range of 'bots' in his 'botnet'. Basically these bots are everyday computers, heck your computer could be a bot in a botnet if you aren't too careful with security. Then what happens, is the attacker commands his 'bots' to target a site, and to continually make requests to it, hence flooding it and either taking it out or slowing it down because of the amount of traffic it's recieving.

So, the attack comes from just about any PC, anywhere in the world. You can't mitigate it via .htaccess, unless you go and deny every IP address in the world.
 
this onlly defence from http flood to ur site but if attacker DDoS the IP then this not work

many attacker not attack the site but IP Address..then for working fine ..that must u give to admin server for blocking that all ip

but wtf good share...
 
Attempting to filter a layer 7 flood AT layer 7 generally isn't very effective. You need to stop attack traffic -before- it makes it to your application/web server.
 
Actually thanks for bumping it, because I was just recently DDoS'd and here's a real solution. Credit goes to doxsters admins (one of them being tim up there) for basically telling me.

Add this into the .htaccess of the main page of your website.

Code: 
AuthUserFile /home/pathto/.htpasswd
AuthType Basic
AuthName "Please enter XYZ as the user to enter"
require valid-user

and create a .htpasswd file somewhere with just XYZ in it. This will create a small login telling people to put XYZ into the user bar and nothing into the password, and validating. It will stop any GET flood (common ddos type by server) because they will be stuck because they can't validate and will just be stuck there.
Then you wait for the attacker to grow up and talk out problems, and you can remove it.

Also, you can use splitice's reverse dns to handle some of the ddos or just trick the attacker.

But of course the best way is to sign up for some real ddos protection from places like http://blacklotus.net/

I'll add anything if my ddos'r gets around this.
 
That method can help with smaller attacks, but if the attack's large enough, it'll still put extra overhead on the web server and cause it to bog down.
 
so19 said:
Actually thanks for bumping it, because I was just recently DDoS'd and here's a real solution. Credit goes to doxsters admins (one of them being tim up there) for basically telling me.

Add this into the .htaccess of the main page of your website.

Code: 
AuthUserFile /home/pathto/.htpasswd
AuthType Basic
AuthName "Please enter XYZ as the user to enter"
require valid-user
and create a .htpasswd file somewhere with just XYZ in it. This will create a small login telling people to put XYZ into the user bar and nothing into the password, and validating. It will stop any GET flood (common ddos type by server) because they will be stuck because they can't validate and will just be stuck there.
Then you wait for the attacker to grow up and talk out problems, and you can remove it.
Click to expand...

That mostly works on smaller attacks. Your web server is still doing processing(in a way, more than it should because of the HTTP authorization)

timtamboy63 said:
Yeah, either do what s019 said, or do a 301 redirect fro your site to fbi.gov for the duration of the ddos attack ;)
Click to expand...

9/10 programs I've seen that are used for DDoS attacks do not follow any HTTP headers. They connect, send, receive, close and start the process all over. (On a HTTP level) The only good this does is stop any other kind of processing by the web server. It's the same as issuing a bad request or unauthorized access reply.


------------

In my opinion, if you're forced to protect yourself from DDoS attacks on a software level, you're better off using a software firewall with strict rules. This prevents banned IP addresses or bad requests from getting through to your web server and creating a high CPU load and wasting precious bandwidth.

To further that, you can write some PHP code that will add rules to the firewall by detecting an attack on the PHP level.

If you opt not to use a firewall, simply use PHP's die function. It's an absolutely brilliant function:

PHP: 
if($isDDoSAttack) die( '' );

Nothing but standard HTTP headers will be sent to the attacking machine. This is a significant difference than say a 404 not found because a 404 sends a lot more bytes than a blank page.

Why do bytes matter? Simply because a page that is 2KB in size that's attacked 200,000 times = 400,000kb (400megs). Eh, who cares about 400 megs? I do, because it's highly unlikely that the attack will stop there.

I once countered an attack with my above method, and the page was requested over 3 million times... in a few hours. Had that attack lasted say two days, the bandwidth would be maxed out quickly if I didn't cut the bandwidth use of an attacking IP by 75%.

-------------

All in all, software firewalls are useless for the most part if the attacker is a big boy. DDoS protection services are useful, but expensive and can slow your site down because of pings. Hardware firewalls(Cisco, mainly) are the best way to protect your server(s) in my opinion. They're pricey, but the integrity of your site is well worth it.


/long winded post
 
Status
Not open for further replies.
Back
Top