My server has been under attack for three days by a user in Colorado who requested the same URL 8.3 million times (and counting).
The user, making simultaneous connections from eight IP addresses in a block controlled by Time Warner Telecom, requested a URL on URouLette that redirects to a random web site -- as many as 30 requests a second to a PHP script that made a MySQL database connection. I'm guessing the motive was to acquire web addresses for e-mail harvesting or some other form of net abuse.
By yesterday morning, the requests were crashing everything on the server that could be crashed. It's a sign of how well Linux, Apache, MySQL, and PHP work that it took so long to bring down the box.
After sending an e-mail to the ISP's abuse address, I tried to solve the problem by adding an Apache configuration deny from directive that blocked the user's access to the site:
Deny from 66.195.191
Allow from all
After rebooting Apache, the abuser's requests were rejected with HTTP status code 403 Forbidden.
This worked briefly, prevented MySQL from running out of connections, but after a few hours Apache began freezing up and would serve no requests.
I wasn't able to fix this until I started the iptables service firewall on my server and told it to completely block the offending IPs with commands like this:
/sbin/iptables -I INPUT -s 18.104.22.168 -j DROP
This appears to have worked.
After 24 hours, I'm still waiting to hear from a human at Time Warner Telecom's abuse desk. My own hosting provider, ServerMatrix, has been fast to respond but doesn't seem inclined to contact the other company. I was hoping they could talk admino a admino.
Idiotically enough, the data that the user expended 100GB of my bandwidth trying to get is freely available on the web. URouLette makes use of Open Directory Project data, sending visitors to random sites that its editors have marked as "cool."