1.1" 302 223 "-" "-" 800k times a day :(

2025-04-08

Hi,

I am getting a GET / HTTP/1.1" 302 223 "-" "-"
800,000 times a day from 30,000 different IPs (at least that's what sort -u produces)
If I pick a particualr IP it looks like this:
[root@h1 root]# grep 68.2.221.228 ~h1/logs/access.log
68.2.221.228 - - [28/Jan/2004:00:23:39 -0800] "GET / HTTP/1.1" 302 223 "-"
68.2.221.228 - - [28/Jan/2004:00:27:39 -0800] "GET / HTTP/1.1" 302 223 "-"
68.2.221.228 - - [28/Jan/2004:00:31:39 -0800] "GET / HTTP/1.1" 302 223 "-"
68.2.221.228 - - [28/Jan/2004:00:43:39 -0800] "GET / HTTP/1.1" 302 223 "-"

any ideas how to ban these suckers completely?

both User-Agent and Referer are empty so I tried:

SetEnvIfNoCase User-Agent "^Wget*" banned_useragent
SetEnvIf User-Agent "^$" banned_useragent
deny from env=banned_useragent

==> it bans Wget as an agent but not a request with an 'empty' user agent.

Questions:
- Is there a way to detect this kind of stuff automatically and ban it within the kernel?
- I am with SM, could I have any luck with Floodguard?
- for apache: is there any way to say: if useragent AND referer are both empty then throw a 408?