Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Block Referral Traffic

Discussion in 'Security' started by ASG, Oct 20, 2016.

  1. ASG

    ASG Member

    Joined:
    Jun 8, 2016
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    India
    cPanel Access Level:
    Root Administrator
    I apologize if this thread is in the wrong forum, however, couldn't see a more relevant one for this thread.

    One of my sites has witnessed 8x increase in bandwidth utilization this month itself, all of which is referral spam, coming from - Removed -.

    We have tried blocking the referral http(s) traffic from the site's IP 43.224.xxx.xx by adding the following to .htaccess about a week back, however it hasn't seem to have any effect:

    deny from 43.224.xxx.xx​

    Thankfully, our site is on a dedicated server with no bandwidth constraints, on a normal VPS it would have exceeded the bandwidth by month-end.

    Is there any other way to block traffic originating from above site?
     

    Attached Files:

    • 1.PNG
      1.PNG
      File size:
      8.7 KB
      Views:
      10
    • 2.PNG
      2.PNG
      File size:
      28.2 KB
      Views:
      10
    #1 ASG, Oct 20, 2016
    Last edited by a moderator: Oct 20, 2016
  2. SysSachin

    SysSachin Well-Known Member

    Joined:
    Aug 23, 2015
    Messages:
    568
    Likes Received:
    40
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,
    You can use the following code to deny access all traffic that originate from a particular domain (referrers)
    add this code in .htaccess file.
    ______________
    RewriteEngine on
    # Options +FollowSymlinks
    RewriteCond %{HTTP_REFERER} badsite\.com [NC,OR]
    RewriteCond %{HTTP_REFERER} anotherbadsite\.com
    RewriteRule .* - [F]
    ______________
     
  3. cPLevey

    cPLevey Technical Analyst Supervisor
    Staff Member

    Joined:
    Dec 3, 2015
    Messages:
    44
    Likes Received:
    8
    Trophy Points:
    83
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Hey @ASG,

    cPanel's IP Blocker should help with what you're trying to do. Check out our documentation: IP Blocker
     
  4. ASG

    ASG Member

    Joined:
    Jun 8, 2016
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    India
    cPanel Access Level:
    Root Administrator
    This seems to have worked, however the refferal traffic has come down by 2/3rds after modifying the .htaccess and not completely.

    I doubt IP blocking would work, since traffic could be coming from different IPs reffered by the specific links(probably the reason why IP blocking mentioned in the first post didn't work).

    Any ideas how to get rid of the traffic completely?
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
  6. ASG

    ASG Member

    Joined:
    Jun 8, 2016
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi Michael, we already have CSF installed on the server. Also, this has gotten worse in the last 2 days - with over 30 gigs in bandwidth getting consumed.

    However the problem with CSF is, it is largely an IP based solution. Please look at the attachment(which is from last 4-5 minutes), the traffic is coming from all sorts of IPs, and I've spent last 20 minutes, banning at least 50 different IPs in CSF. Managing CSF is not humanly possible in such a scenario.

    This "spam attack" is happening as I write this, and neither CSF nor .htaccess method has been able to offer 100% security from such a distributed attack. There are lot of denials happening due to .htaccess method, however, an equal number is managing to get through. This is very similar to a DDOS attack, only through referral spam.

    Is there no other way except to shut down the server?
     

    Attached Files:

  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You may want to consult with your upstream provider to see if they have any solutions for this type of attack. There's a third-party URL here as well that you may find helpful:

    Apache getting DDoS

    Thank you.
     
  8. danielpmc

    danielpmc Well-Known Member

    Joined:
    Nov 3, 2016
    Messages:
    64
    Likes Received:
    28
    Trophy Points:
    18
    Location:
    Gainesville, Florida
    cPanel Access Level:
    Reseller Owner
    Hello,

    I use a htaccess whitelist to allow only what traffic I want to visit my domain. By doing this, it will block anything that does not match the rules. It will significantly reduce your bandwidth from bots and hackers using python requests, lib/ and other codes.

    As far as Configserver is concerned you can change the Firewall Profles to block_all_perm. This will block all IPs that hit your Apache server in a malicious manner. WARNING: You must check your Firewall Deny IPs DAILY and review the IPs that have ben automatically added by Configserver. Keep in mind that once a certain amount of IPs have been added to Firewall Deny the oldest IP will be removed to make room for more.

    Hope this helps you out.

    Code:
    Order Deny,Allow
    Deny from all
    #Allows cPanelAutossl/Softaculous
    SetEnvIfNoCase User-Agent .*hec.* good_bot
    SetEnvIfNoCase User-Agent .*oftaculou.* good_bot
    SetEnvIfNoCase User-Agent .*omod.* good_bot
    SetEnvIfNoCase User-Agent .*pane.* good_bot
    SetEnvIfNoCase User-Agent .*utoss.* good_bot
    
    #Allows Safari
    SetEnvIfNoCase User-Agent .*afar.* good_bot
    
    #Allows Bing
    SetEnvIfNoCase User-Agent bing good_bot
    SetEnvIfNoCase User-Agent bing.* good_bot
    SetEnvIfNoCase User-Agent .*bing.* good_bot
    
    #Allows Microsoft Edge Browser
    SetEnvIfNoCase User-Agent edge good_bot
    SetEnvIfNoCase User-Agent edg.* good_bot
    SetEnvIfNoCase User-Agent .*edge.* good_bot
    
    #Allows Linux based browsers Konqueror, Seamonkey, Ubuntu
    SetEnvIfNoCase User-Agent .*inu.* good_bot
    
    #Allows Firefox
    SetEnvIfNoCase User-Agent .*ire.* good_bot
    
    #Allows Chrome
    SetEnvIfNoCase User-Agent .*hrom.* good_bot
    
    #Allows MSIE (Internet Explorer)
    SetEnvIfNoCase User-Agent msie good_bot
    SetEnvIfNoCase User-Agent msie.* good_bot
    SetEnvIfNoCase User-Agent .*msie.* good_bot
    
    #Allows Googlebot
    SetEnvIfNoCase User-Agent .*ooglebo.* good_bot
    
    #Allows Opera
    SetEnvIfNoCase User-Agent .*per.* good_bot
    Allow from env=good_bot
    Extra ules can be added according to each individuals needs such as:

    #Allows Facebook
    SetEnvIfNoCase User-Agent .*aceboo.* good_bot

    #Allows Pinterest
    SetEnvIfNoCase User-Agent .*interes.* good_bot

    #Allows Linkedin
    SetEnvIfNoCase User-Agent .*inkedi.* good_bot
    SetEnvIfNoCase User-Agent .*inked-i.* good_bot

    #Allows MySpace
    SetEnvIfNoCase User-Agent .*yspac.* good_bot

    You can add as many rules as you choose.
     
    #8 danielpmc, Nov 4, 2016
    Last edited by a moderator: Nov 9, 2016
    cPanelMichael likes this.
Loading...

Share This Page