Am 24.01.2026 um 20:21 schrieb Lloyd: > Isn't this why the HTTP 406 response code exists? >
It does not matter sending a corresponding HTTP response like: HTTP 429 Too many requests Retry-After: some delay They ignore it and will continue sending requests in ways hardly detectable. The only option I see is grepping the log file for those status codes (404, 406, 429, some location, etc.) and use the IP information for creating pf rules. Having httpd in base do something like this automatically like e.g. spamd would be a cool feature to have. Something like: Make httpd detect IPs sending too many requests and make it manage some pf table to block that IP for some time automatically similar to spamd. I am currently helping someone running apache2 and there are quite some modules available to help getting out of the situation. Currently testing mod_evasive with very little success. It is very hard to decide a request is coming from a user or a machine based on the access.log, for example. So the only information you have is IP and location accessed. I am saying this after having watched the access.log there for a couple of days trying to find an access pattern to match against with the frustrating result that it's nearly impossible to distinguish between a bot just downloading the site in all possible ways or a ddos attack. So something like greylisting and dnsbl etc. for httpd may do the trick. Regards, -- Christian
