under ddos with several search engines [closed]

by

I am under ddos with several search engines
Any idea how can I stop this?

198.x.x.x - - [04/Sep/2017:17:12:11 +0100] "GET / HTTP/1.0" 302 403 "google.com/results?search_query=i7j0O" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
198.x.x.x - - [04/Sep/2017:17:12:11 +0100] "GET / HTTP/1.0" 302 403 "google.com/results?search_query=eFvOwVu5U" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
198.x.x.x - - [04/Sep/2017:17:12:11 +0100] "GET / HTTP/1.0" 302 461 "bing.com/search?q=j1rLD" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
198.x.x.x - - [04/Sep/2017:17:12:11 +0100] "GET / HTTP/1.0" 302 403 "youtube.com/results?search_query=1kLPIe7" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
198.x.x.x - - [04/Sep/2017:17:12:11 +0100] "GET / HTTP/1.0" 302 403 "youtube.com/results?search_query=WBQbiA" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0"
198.x.x.x - - [04/Sep/2017:17:12:11 +0100] "GET / HTTP/1.0" 302 403 "yahoo.com/results?search_query=qCzCMam" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0"

I can’t ban that IP address 198.x.x.x because that is my proxy.

Answer

You should

  1. Configure your proxy to pass the real IP and have the backend server use the real IP instead.

You haven’t specified how your proxy is made, but since it’s passing the request, it should also pass the real IP. Then you have the power to ban IP as well. To be more efficient, you should block at the proxy.

  1. Ban referrers based on regex.

The attacks you’re getting has a clearly not-real referrers but very consistent. You could setup regex to ban these requests that match such referrer string.

For example ^google\.com\/results\?search_query\=\w{2,10}$ for the google one and few more for the rest.

Attribution
Source : Link , Question Author : user434090 , Answer Author : Grumpy

Leave a Comment