How can I block traffic by refferrer?

[acidbox]

Our server is getting slammed daily by this asian search engine. I don't know where it's coming from. but it's not even finding legitimate results.

It's gotten to the point where its affecting the performance of our server because Apache is handling so many requests from this damn place, it's almost like a DOS attack.

The clients are all different, but the one thing in common is the refferer. Take a look at this error log:

[Tue Nov 29 16:06:53 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%C...27949%26goto%3Dnextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:53 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%C...27949%26goto%3Dnextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:54 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%C...27949%26goto%3Dnextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:54 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%C...27949%26goto%3Dnextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:54 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%C...27949%26goto%3Dnextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:54 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%C...27949%26goto%3Dnextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:55 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%C...27949%26goto%3Dnextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:55 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%C...27949%26goto%3Dnextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:56 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%C...27949%26goto%3Dnextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:56 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%C...27949%26goto%3Dnextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:57 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%C...27949%26goto%3Dnextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:57 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%C...27949%26goto%3Dnextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:57 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%C...27949%26goto%3Dnextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:57 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%C...27949%26goto%3Dnextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:58 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%C...27949%26goto%3Dnextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:58 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%C...27949%26goto%3Dnextnewset&b=0&a=13&user=baidu
[Tue Nov 29 16:06:59 2005] [error] [client 61.178.86.54] File does not exist: /home/httpd/vhosts/default/htdocs/our1, referer: http://cache.baidu.com/c?word=%C8%C...27949%26goto%3Dnextnewset&b=0&a=13&user=baidu

Is there a way I can block access to the server by checking the referrer and block them if they come from that domain?

Thanks for the help.

 

[ShadowMan@]

mod_security - According to gotroot.com, their ruleset:

Comment spam rules

These rules exclusively block comment and referer spam. If you want to block spam on your server, then you should use these rules.

As of right now, their list is:
20051129-01: Web Application protection
20051129-01: Bad UserAgents blocking
20051129-01: Comment spam blacklist
20051129-01: Compromised/Hacker boxes blacklist
20051111-01: Anti-Proxy protection
20051111-01: Additional Apache 2.x rules
20051120-01: Known rootkits/worms
20050905-01: Rule Exclusions
20051129-01: Blacklist of known attackers/spammers

On most of our US servers, we do mod_security and block entire ranges of China (CN) and be done with it...

 

[acidbox]

I'd like to do just that. I currently have mod_security 1.9 installed. Do you have any sample code or a good tutorial that covers how to do this?

Thanks!

 

[chuckg]

With PHP

Rename your default web page to home.php
Edit new index.php below to suit.
function.f_sleep waits 999 seconds and the HTTP resource request will time out first.
This results in 0 bytes being transferred and elapsed time of whatever the network timeout is.
<php
include "function.f_sleep";
$ref = $_SERVER['HTTP_REFERER'];
if(strpos($ref , "insert referer string here") > 0) f_sleep("puts this line in new log file 'sleepers.txt' ");
if(strpos($ref , "sexshop") > 0) f_sleep("REFERER:sexshop");
...
header("Location: home.php");
exit;
?>

<?php
function f_sleep($a) {
sleepers($a);
sleep(999);
echo "<html><body>&nbsp;Hi.</body></html>"; }

function sleepers($a) {
$tim = date('H:i:s');
$dat = date ('j F Y');
$ip = $_SERVER[REMOTE_ADDR];
$age = $_SERVER[HTTP_USER_AGENT];
$hostname = gethostbyaddr($_SERVER[REMOTE_ADDR]);
$fp = fopen("sleepers.txt","a");
fputs($fp, "\n $dat $tim $ip $hostname $a\n $age\n" );
fclose($fp);
}
?>