Forum
How to block bad referer in reverse proxy mode
vlad
26 May 2014, 12:17
How to block bad referer in reverse proxy mode this:
85.94.164.50 - - [14/Jul/2013:21:10:28 +0400] "GET / HTTP/1.1" 502 568 "2344.net" "Mozilla/6.0 (compatible; MSIE 6.0; Windows NT 6.1; SV1; .NET CLR 3.5.30729)" "23sdf44fsw.net"
85.94.164.50 - - [14/Jul/2013:21:10:28 +0400] "GET / HTTP/1.1" 502 166 "23sd34fsw.net" "Opera/7.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0" "ssss333v.net"
195.78.247.11 - - [14/Jul/2013:21:10:28 +0400] "GET / HTTP/1.1" 502 166 "333444nnxxxss" "Mozilla/1.1 (Windows NT 6.1; U; ru)" "-"
195.78.247.11 - - [14/Jul/2013:21:10:28 +0400] "GET / HTTP/1.1" 502 166 "23sd334fsw.net" "Opera/8.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "34554345.com"
195.78.247.11 - - [14/Jul/2013:21:10:28 +0400] "GET /topic/7145/ HTTP/1.1" 502 166 "-" "Opera/7.0 (compatible; MSIE 5.01; Windows NT 5.0)" "-"
and
195.78.247.11 - - [14/Jul/2013:21:10:28 +0400] "GET / HTTP/1.1" 502 166 "http://23sd334fsw.net" "Opera/8.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://34554345.com"
85.94.164.50 - - [14/Jul/2013:21:10:28 +0400] "GET / HTTP/1.1" 502 166 "http://23sd34fsw.net" "Opera/7.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0" "http://ssss333v.net"
Hiawatha version: 1.45
Operating System: Debian 7
85.94.164.50 - - [14/Jul/2013:21:10:28 +0400] "GET / HTTP/1.1" 502 568 "2344.net" "Mozilla/6.0 (compatible; MSIE 6.0; Windows NT 6.1; SV1; .NET CLR 3.5.30729)" "23sdf44fsw.net"
85.94.164.50 - - [14/Jul/2013:21:10:28 +0400] "GET / HTTP/1.1" 502 166 "23sd34fsw.net" "Opera/7.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0" "ssss333v.net"
195.78.247.11 - - [14/Jul/2013:21:10:28 +0400] "GET / HTTP/1.1" 502 166 "333444nnxxxss" "Mozilla/1.1 (Windows NT 6.1; U; ru)" "-"
195.78.247.11 - - [14/Jul/2013:21:10:28 +0400] "GET / HTTP/1.1" 502 166 "23sd334fsw.net" "Opera/8.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "34554345.com"
195.78.247.11 - - [14/Jul/2013:21:10:28 +0400] "GET /topic/7145/ HTTP/1.1" 502 166 "-" "Opera/7.0 (compatible; MSIE 5.01; Windows NT 5.0)" "-"
and
195.78.247.11 - - [14/Jul/2013:21:10:28 +0400] "GET / HTTP/1.1" 502 166 "http://23sd334fsw.net" "Opera/8.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://34554345.com"
85.94.164.50 - - [14/Jul/2013:21:10:28 +0400] "GET / HTTP/1.1" 502 166 "http://23sd34fsw.net" "Opera/7.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0" "http://ssss333v.net"
Hiawatha version: 1.45
Operating System: Debian 7
Hugo Leisink
26 May 2014, 14:09
You can't block based on referer for reverse proxy. You have to block those requests at final webserver.
vlad
26 May 2014, 14:24
Please add this future
Hugo Leisink
26 May 2014, 14:27
Why do you want to block them? They pose no threat. Referer headers can be changed to whatever by an attacker so filtering them is pointless.
Vlad
26 May 2014, 14:37
This particular signature DDoS botnet
In Nginx it decided two lines:
and
but I do not like Nginx
In Nginx it decided two lines:
if ($http_referer !~* ^($|https?://) ) { return 444; }
and
if (preg_match("/http:\/\/([^\/]*)/i", $http_referer + '/', $m)) {
$ref_domain = $m[1];
if ($ref_domain ~ \d.*\d) {
return 444;
}
}
but I do not like Nginx
vlad
26 May 2014, 15:33
Part log hiawatha:
46.118.213.89|Mon 26 May 2014 15:21:36 +0200|301|882||GET / HTTP/1.1|Host: www.hide|Keep-Alive: 300|Connection: keep-alive|User-Agent: Mozilla/3.0 (compatible; Fluffy the spider; http://www.searchhippo.com/; info@searchhippo.com) |Referer: cavm696.biz
178.152.36.108|Mon 26 May 2014 15:21:36 +0200|200|25896||GET / HTTP/1.1|Host: hide|Keep-Alive: 300|Connection: keep-alive|User-Agent: Mozilla/1.1 (compatible; MSPIE 2.0; Windows CE) |Referer: x99ypo.info
212.170.160.75|Mon 26 May 2014 15:21:36 +0200|200|25985||GET / HTTP/1.1|Host: hide|Keep-Alive: 300|Connection: keep-alive|User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9b5) Gecko/2008032619 Firefox/3.0b5 |Referer: 8gvh19p81745v.net
178.124.200.135|Mon 26 May 2014 15:21:36 +0200|200|26020||GET / HTTP/1.1|Host: hide|Keep-Alive: 300|Connection: keep-alive|User-Agent: Mozilla/5.0 (compatible; iaskspider/1.0; MSIE 6.0) |Referer: hb4wx3n06hyw22.biz
46.118.213.89|Mon 26 May 2014 15:21:36 +0200|301|835||GET / HTTP/1.1|Host: www.hide|Keep-Alive: 300|Connection: keep-alive|User-Agent: Mozilla/5.0 (compatible; TridentSpider/3.1) |Referer: r40ov33o917.biz
91.214.131.48|Mon 26 May 2014 15:21:36 +0200|301|883||GET / HTTP/1.1|Host: www.hide|Keep-Alive: 300|Connection: keep-alive|User-Agent: Mozilla/2.0 (compatible; Ask Jeeves/Teoma; http://sp.ask.com/docs/about/tech_crawling.html) |Referer: ze8667flbt.info
46.118.213.89|Mon 26 May 2014 15:21:36 +0200|301|873||GET / HTTP/1.1|Host: www.hide|Keep-Alive: 300|Connection: keep-alive|User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Podtech Network; crawler_admin@ry6d4s6s884jfx.net) |Referer: 0l54507.biz
46.118.213.89|Mon 26 May 2014 15:21:36 +0200|301|826||GET / HTTP/1.1|Host: www.hide|Keep-Alive: 300|Connection: keep-alive|User-Agent: Mozilla/4.7 [en](Exabot@exava.com) |Referer: n68g95h0mtx.biz
46.118.213.89|Mon 26 May 2014 15:21:36 +0200|301|868||GET / HTTP/1.1|Host: www.hide|Keep-Alive: 300|Connection: keep-alive|User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Podtech Network; crawler_admin@411x6lcy.net) |Referer: 26616mo2.net
188.81.44.100|Mon 26 May 2014 15:21:36 +0200|301|862||GET / HTTP/1.1|Host: www.hide|Keep-Alive: 300|Connection: keep-alive|User-Agent: Mozilla/4.0 (compatible; www.linkguard.com Linkguard Online 1.0; Windows NT) |Referer: k797m.com
178.172.184.110|Mon 26 May 2014 15:21:36 +0200|200|26113||GET / HTTP/1.1|Host: hide|Keep-Alive: 300|Connection: keep-alive|User-Agent: Mozilla/3.0 (Liberate DTV 1.1) |Referer: 33114.ru
instead hide the real address of the site
46.118.213.89|Mon 26 May 2014 15:21:36 +0200|301|882||GET / HTTP/1.1|Host: www.hide|Keep-Alive: 300|Connection: keep-alive|User-Agent: Mozilla/3.0 (compatible; Fluffy the spider; http://www.searchhippo.com/; info@searchhippo.com) |Referer: cavm696.biz
178.152.36.108|Mon 26 May 2014 15:21:36 +0200|200|25896||GET / HTTP/1.1|Host: hide|Keep-Alive: 300|Connection: keep-alive|User-Agent: Mozilla/1.1 (compatible; MSPIE 2.0; Windows CE) |Referer: x99ypo.info
212.170.160.75|Mon 26 May 2014 15:21:36 +0200|200|25985||GET / HTTP/1.1|Host: hide|Keep-Alive: 300|Connection: keep-alive|User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9b5) Gecko/2008032619 Firefox/3.0b5 |Referer: 8gvh19p81745v.net
178.124.200.135|Mon 26 May 2014 15:21:36 +0200|200|26020||GET / HTTP/1.1|Host: hide|Keep-Alive: 300|Connection: keep-alive|User-Agent: Mozilla/5.0 (compatible; iaskspider/1.0; MSIE 6.0) |Referer: hb4wx3n06hyw22.biz
46.118.213.89|Mon 26 May 2014 15:21:36 +0200|301|835||GET / HTTP/1.1|Host: www.hide|Keep-Alive: 300|Connection: keep-alive|User-Agent: Mozilla/5.0 (compatible; TridentSpider/3.1) |Referer: r40ov33o917.biz
91.214.131.48|Mon 26 May 2014 15:21:36 +0200|301|883||GET / HTTP/1.1|Host: www.hide|Keep-Alive: 300|Connection: keep-alive|User-Agent: Mozilla/2.0 (compatible; Ask Jeeves/Teoma; http://sp.ask.com/docs/about/tech_crawling.html) |Referer: ze8667flbt.info
46.118.213.89|Mon 26 May 2014 15:21:36 +0200|301|873||GET / HTTP/1.1|Host: www.hide|Keep-Alive: 300|Connection: keep-alive|User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Podtech Network; crawler_admin@ry6d4s6s884jfx.net) |Referer: 0l54507.biz
46.118.213.89|Mon 26 May 2014 15:21:36 +0200|301|826||GET / HTTP/1.1|Host: www.hide|Keep-Alive: 300|Connection: keep-alive|User-Agent: Mozilla/4.7 [en](Exabot@exava.com) |Referer: n68g95h0mtx.biz
46.118.213.89|Mon 26 May 2014 15:21:36 +0200|301|868||GET / HTTP/1.1|Host: www.hide|Keep-Alive: 300|Connection: keep-alive|User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Podtech Network; crawler_admin@411x6lcy.net) |Referer: 26616mo2.net
188.81.44.100|Mon 26 May 2014 15:21:36 +0200|301|862||GET / HTTP/1.1|Host: www.hide|Keep-Alive: 300|Connection: keep-alive|User-Agent: Mozilla/4.0 (compatible; www.linkguard.com Linkguard Online 1.0; Windows NT) |Referer: k797m.com
178.172.184.110|Mon 26 May 2014 15:21:36 +0200|200|26113||GET / HTTP/1.1|Host: hide|Keep-Alive: 300|Connection: keep-alive|User-Agent: Mozilla/3.0 (Liberate DTV 1.1) |Referer: 33114.ru
instead hide the real address of the site
Hugo Leisink
26 May 2014, 18:09
I will take a look at it for the v9.7 release.
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
