Server Attack from WinHttp

July 30th, 2010 by Chris

Something is going on with the server this site is on right now. I’m getting thousands of requests with user agents of Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5), which would appear to be scrapers, but it is very very difficult to ban them, because they’re coming from thousands of different IPs. All trying to view a few pages (not even all the pages) just a few on this site, over and over.

Anyone got advice?

Update

So I think I got the attackers blocked. I don’t think it was malicious, in that I was the target, it was obviously a botnet of some sort, but why would they try to shut WSP down? It makes no sense, this is a tiny site.

I saw a lot of examples on the Internet on message forums to just do this:

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} ^WinHttp
RewriteRule ^.* – [F,L]

I didn’t know you could use mod_rewrite on user agents like that, but I guess it makes sense. Maybe I had learned it at one point and forgot, probably the likely scenario.

Anyways, the above will not work, despite the fact I saw that example, or ones like it, plastered everywhere. I think people were parroting other people and they didn’t really understand it.

I definitely do understand regular expressions though, so when trying that and finding it doesn’t work, and then swapping “WinHttp” for “Mozilla” and being blocked myself to verify the code works in theory, I took another look at it.

The ^ symbol denotes the beginning of a line in a regular expression. If your user agent begins with “Mozilla” and you try to block “^Mozilla” it will work. But if the keyword you’re after is further down the line, you need to accomodate it by telling the regular expression other characters can appear between the start (^) and the word you want.

In regular expressions a period matches any character and an asterisk matches the previous character any number of times. So .* matches anything to any length.

As such I changed my code to this: