Hi Michael,

You could attempt to block the user agent, as it looks like they're all using IE6/WinXP, as long as you don't have any legitimate users that still use IE6 - at least as a temporary resolution. You could put something like this in your virtual host on Apache:

<Directory />
  SetEnvIfNoCase User-Agent "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" bad_user
  Deny from env=bad_user
</Directory>



On 25 August 2013 16:34, Michael Corliss <michaeljcorliss@gmail.com> wrote:
Hello,

My site was running very slowly this morning, and when I looked at top it showed a lot more apache processes than usual.  My apache logs show several generic-looking requests per second all day, all from different IPs but the same user agent:

203.177.174.141 - - [25/Aug/2013:06:57:46 +0000] "POST / HTTP/1.1" 200 26622 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
117.7.236.73 - - [25/Aug/2013:06:57:46 +0000] "POST / HTTP/1.1" 200 26622 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
216.178.85.218 - - [25/Aug/2013:06:57:46 +0000] "POST / HTTP/1.1" 200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
49.206.63.20 - - [25/Aug/2013:06:57:46 +0000] "POST / HTTP/1.1" 200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
59.149.127.101 - - [25/Aug/2013:06:57:47 +0000] "POST / HTTP/1.1" 200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
111.254.38.56 - - [25/Aug/2013:06:57:46 +0000] "POST / HTTP/1.1" 200 26622 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
190.154.108.28 - - [25/Aug/2013:06:57:46 +0000] "POST / HTTP/1.1" 200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
60.240.213.10 - - [25/Aug/2013:06:57:48 +0000] "POST / HTTP/1.1" 200 18876 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
41.74.72.186 - - [25/Aug/2013:06:57:48 +0000] "POST / HTTP/1.1" 200 26622 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
5.166.34.40 - - [25/Aug/2013:06:57:48 +0000] "POST / HTTP/1.1" 200 26622 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
213.57.146.253 - - [25/Aug/2013:06:57:49 +0000] "POST / HTTP/1.1" 200 26622 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
188.245.63.129 - - [25/Aug/2013:06:57:49 +0000] "POST / HTTP/1.1" 200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
171.97.140.82 - - [25/Aug/2013:06:57:48 +0000] "POST / HTTP/1.1" 200 13140 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
188.136.214.3 - - [25/Aug/2013:06:57:49 +0000] "POST / HTTP/1.1" 200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
74.197.170.177 - - [25/Aug/2013:06:57:49 +0000] "POST / HTTP/1.1" 200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
106.241.51.51 - - [25/Aug/2013:06:57:49 +0000] "POST / HTTP/1.1" 200 21900 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
178.32.159.163 - - [25/Aug/2013:06:57:50 +0000] "POST / HTTP/1.1" 200 25746 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
110.55.2.241 - - [25/Aug/2013:06:57:50 +0000] "POST / HTTP/1.1" 200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
97.66.102.42 - - [25/Aug/2013:06:57:50 +0000] "POST / HTTP/1.1" 200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
2.181.22.211 - - [25/Aug/2013:06:57:51 +0000] "POST / HTTP/1.1" 200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
95.58.227.174 - - [25/Aug/2013:06:57:52 +0000] "POST / HTTP/1.1" 200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
91.84.209.34 - - [25/Aug/2013:06:57:52 +0000] "POST / HTTP/1.1" 200 25078 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
80.187.102.48 - - [25/Aug/2013:06:57:52 +0000] "POST / HTTP/1.1" 200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
80.187.102.48 - - [25/Aug/2013:06:57:52 +0000] "POST / HTTP/1.1" 200 9101 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
80.187.102.48 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1" 200 25746 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
162.40.113.3 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.0" 200 29739 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
74.246.72.161 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1" 200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
69.31.103.15 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1" 200 18824 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
95.56.48.194 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1" 200 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
91.234.62.104 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1" 200 26622 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
117.201.49.234 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1" 200 26622 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
110.93.93.232 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1" 200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
49.144.94.153 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1" 200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
49.206.63.20 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1" 200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
75.5.224.39 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1" 200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
222.253.203.151 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1" 200 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
116.71.205.203 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1" 200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
76.231.201.4 - - [25/Aug/2013:06:57:54 +0000] "POST / HTTP/1.1" 200 29841 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
113.185.6.125 - - [25/Aug/2013:06:57:53 +0000] "POST / HTTP/1.1" 200 20250 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"


This goes on and on.  I've stopped apache and everything seems to be working normally.

I've found some suggestions that this UA is associated with malicious bots; is this a DDOS?  Who would want to DDOS a piddly discussion forum?  Any advice on making it useable again?

Thanks,
Mike

_______________________________________________
users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users