On Tue, Mar 16, 2010 at 11:39:11AM +0100, Miko?aj Radzewicz wrote:
> Hmm, it is little not what I thought... We have DDoS due to our links
> are put on high load site. I wanted to check referrers dynamical and
> then block them (with the highest rate).
You mean they put the links on *many* high load sites ? I think that
at some point you'll have found the list.
> Maybe is it possible to limit the session based on host?
You mean on referrer I presume. Right now it's not possible. Most of
the code to do that is present but still requires some non-obvious
changes in order to support that.
In my opinion you should really try to enumerate the few higher load
sites. Simply capture them ("capture request header referer len 32")
then check them in your logs using sort | uniq -c | sort -n and write
a rule to get most of them away.
Regards,
Willy
