Safe to block POST request with no referers?

MediaServe

Well-Known Member
PartnerNOC
Apr 9, 2004
138
2
168
Nashville, TN USA
cPanel Access Level
DataCenter Provider
Twitter
With a LOT of clients using WordPress, we're getting hammered with brute force login activity that generates additional server load. Joomla use causes some as well, but not quite as bad (for now).

I was looking into using snort to combat this, but on CloudLinux 5 there are so many dependencies on libraries I can't get installed to get the latest snort source compiled. I think even if I did, I might have to do manual work to each wordpress site to get snort tracking the activity anyway. I'd rather have a global solution.

I've noticed that all the brute force traffic seems to have no referrer. I can't think of a case where a legit POST request would have no referer. I've written a script that runs every minute via cron and checks all users' apache logs that have been modified in the last minute, and blackholes any IP that is POSTing, isn't local, and has no referer. (I could use mod_security for this, but this lets me blackhole the IP entirely from any access to the server.)

My concern is whether a legit POST with no referer is common. The RFC suggests it might be okay in some cases. The section covering POST requests has a final sentence that says "See section 15.1.3 for security considerations", which contains:

15.1.3 Encoding Sensitive Information in URI's

Because the source of a link might be private information or might reveal an otherwise private information source, it is strongly recommended that the user be able to select whether or not the Referer field is sent. For example, a browser client could have a toggle switch for browsing openly/anonymously, which would respectively enable/disable the sending of Referer and From information.

Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.
In addition to blackholing immediately when finding a POST with no referrer, I'm also checking for POST frequency to URIs with wp-login.php, wp-admin, /administrator/index.php. etc. when there is a referer, and blocking on heavy activity (with a threshold set high enough to hopefully not block legitimate traffic.) I suppose if POST requests with no referer are common enough, I could stop the immediate block and instead perhaps include a heavier weight to those requests when deciding to block on frequency.

At any rate, I though I'd pose this question and see what other folks think about the legitimacy of POST requests with no referer. Thanks in advance for any feedback you can provide!
 
Last edited:

MediaServe

Well-Known Member
PartnerNOC
Apr 9, 2004
138
2
168
Nashville, TN USA
cPanel Access Level
DataCenter Provider
Twitter
Well, it didn't take too long to answer my own question after putting the system in place. Frontpage (unfortunately we still support it) POSTs with no referer when publishing via the extensions, and we had an instance of a customers external script that POSTed data to his website get blocked. I had to tweak the code and use a weighted threshold where a POST with no referer gets an extra point (if no author.exe present to avoid problems with Frontpage) rather than simply blocking immediately.