Spammers knocking webserver offline
One of my customers is running a Webblog including an automatically updated list of top referers. Now it seems that spammers have found those referer lists to be the next possibility to get hits on their sites. They send lots of HTTP requests with their own URL as referer to the Blog so they would end up in the top referers list. Most of them send only three or four requests every few minutes, nothing the Apache couldn't handle.
Some though are more aggresive, sending thousands of requests to .php URLs within a few minutes causing a load of 50+. A side-effect is MySQLd refusing further connections from the host, knocking offline a lot more websites. I have increased the max_connect_errors option to safe_mysqld to get around this, but it doesn't solve the problem of the server being unusable.
Configuration details: running FreeBSD 4, Apache 1.3.33, PHP 4.4.0, .php scripts are executed with the uid of the customer.
"Attacker" details: sending waves of requests, all requests within a wave originate from the same remote IP, but waves originate from different machines all over the world, most likely compromised boxes.
How would the experts handle this? I've been thinking about ulimits or log monitoring and blocking the remote IP on demand, but no clean solution has come to my knowledge yet, which wouldn't disrupt the normal operation of the webserver.
This has happened three times within the last 24hrs
