Block most DDoS using htaccess file!

[timtamboy63]

To be honest, this is bullshit, won't mitigate a ddos attack, here's why:

Basically, in a ddos attack, you have the attacker, who has a whole range of 'bots' in his 'botnet'. Basically these bots are everyday computers, heck your computer could be a bot in a botnet if you aren't too careful with security. Then what happens, is the attacker commands his 'bots' to target a site, and to continually make requests to it, hence flooding it and either taking it out or slowing it down because of the amount of traffic it's recieving.

So, the attack comes from just about any PC, anywhere in the world. You can't mitigate it via .htaccess, unless you go and deny every IP address in the world.

[Lisvo]

Wonder who wrote the original post on the net ay!

[cyber.crime]

this onlly defence from http flood to ur site but if attacker DDoS the IP then this not work

many attacker not attack the site but IP Address..then for working fine ..that must u give to admin server for blocking that all ip

but wtf good share...

[ddosdefend]

Attempting to filter a layer 7 flood AT layer 7 generally isn't very effective. You need to stop attack traffic -before- it makes it to your application/web server.

[chrishdman87]

Way to bump a thread thats hella old.

[ddosdefend]

I didn't know a thread with replies from around a month ago was all that old. Sorry.

[so19]

Actually thanks for bumping it, because I was just recently DDoS'd and here's a real solution. Credit goes to doxsters admins (one of them being tim up there) for basically telling me.

Add this into the .htaccess of the main page of your website.

Code: 

AuthUserFile /home/pathto/.htpasswd
AuthType Basic
AuthName "Please enter XYZ as the user to enter"
require valid-user

and create a .htpasswd file somewhere with just XYZ in it. This will create a small login telling people to put XYZ into the user bar and nothing into the password, and validating. It will stop any GET flood (common ddos type by server) because they will be stuck because they can't validate and will just be stuck there.
Then you wait for the attacker to grow up and talk out problems, and you can remove it.

Also, you can use splitice's reverse dns to handle some of the ddos or just trick the attacker.

But of course the best way is to sign up for some real ddos protection from places like http://blacklotus.net/

I'll add anything if my ddos'r gets around this.

[ddosdefend]

That method can help with smaller attacks, but if the attack's large enough, it'll still put extra overhead on the web server and cause it to bog down.

[timtamboy63]

Yeah, either do what s019 said, or do a 301 redirect fro your site to fbi.gov for the duration of the ddos attack

[Buddah]

Actually thanks for bumping it, because I was just recently DDoS'd and here's a real solution. Credit goes to doxsters admins (one of them being tim up there) for basically telling me.

Add this into the .htaccess of the main page of your website.

Code: 

AuthUserFile /home/pathto/.htpasswd
AuthType Basic
AuthName "Please enter XYZ as the user to enter"
require valid-user

and create a .htpasswd file somewhere with just XYZ in it. This will create a small login telling people to put XYZ into the user bar and nothing into the password, and validating. It will stop any GET flood (common ddos type by server) because they will be stuck because they can't validate and will just be stuck there.
Then you wait for the attacker to grow up and talk out problems, and you can remove it.

That mostly works on smaller attacks. Your web server is still doing processing(in a way, more than it should because of the HTTP authorization)

Yeah, either do what s019 said, or do a 301 redirect fro your site to fbi.gov for the duration of the ddos attack

9/10 programs I've seen that are used for DDoS attacks do not follow any HTTP headers. They connect, send, receive, close and start the process all over. (On a HTTP level) The only good this does is stop any other kind of processing by the web server. It's the same as issuing a bad request or unauthorized access reply.


------------

In my opinion, if you're forced to protect yourself from DDoS attacks on a software level, you're better off using a software firewall with strict rules. This prevents banned IP addresses or bad requests from getting through to your web server and creating a high CPU load and wasting precious bandwidth.

To further that, you can write some PHP code that will add rules to the firewall by detecting an attack on the PHP level.

If you opt not to use a firewall, simply use PHP's die function. It's an absolutely brilliant function:

PHP Code: 

if($isDDoSAttack) die( '' ); 


Nothing but standard HTTP headers will be sent to the attacking machine. This is a significant difference than say a 404 not found because a 404 sends a lot more bytes than a blank page.

Why do bytes matter? Simply because a page that is 2KB in size that's attacked 200,000 times = 400,000kb (400megs). Eh, who cares about 400 megs? I do, because it's highly unlikely that the attack will stop there.

I once countered an attack with my above method, and the page was requested over 3 million times... in a few hours. Had that attack lasted say two days, the bandwidth would be maxed out quickly if I didn't cut the bandwidth use of an attacking IP by 75%.

-------------

All in all, software firewalls are useless for the most part if the attacker is a big boy. DDoS protection services are useful, but expensive and can slow your site down because of pings. Hardware firewalls(Cisco, mainly) are the best way to protect your server(s) in my opinion. They're pricey, but the integrity of your site is well worth it.


/long winded post