Using additional Re-Write Rules in WordPress .htaccess to Stop DDOS attacks

Question

We have suddenly been the victim of what we are being told is a DDOS attack. We are trying to use some .htaccess rules to block the affending parameters, using the following, to show a 403 forbidden page to any posts requests made on the home page and any requests with specific fields in the beginning of the query string:

RewriteEngine On

RewriteCond %{QUERY_STRING} ^(ptrxcz|xclzve).* [NC]

RewriteRule ^(.*)$ http://%{REMOTE_ADDR} [F,L]

RewriteEngine On

RewriteCond %{REQUEST_METHOD} POST

RewriteCond %{REQUEST_URI} /

RewriteRule ^(.*)$ http://%{REMOTE_ADDR} [F,L]

Basically this works fine whenever I use wget to access the file with the offending query string in SSH but not in the browser window.

In addition, the Postmaster Google Chrome add on blocks the post requests to the homepage however a curl -d request doesn't get blocked so I'm finding it hard on which tools to trust as they are giving varying results (browser, SSH, Postmaster).

I am also using Wordpress with permalinks and I wonder if these affect this in some way as these are the only other things in the .htaccess file. Once I remove these from the .htaccess file I then everything works as expected. This is the Wordpress .htaccess which comes after my current rules.

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^index\.php$ - [L]

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

</IfModule>

In addition, if I change my pre-Wordpress rules and remove the [F] and REMOTE_ADDR parts and replace it with the following to redirect it to a URL that doesn't exist this redirects properly, which means it could be related to the [F] and REMOTE_ADDR sections.

RewriteEngine On

RewriteCond %{QUERY_STRING} ^(ptrxcz|xclzve).* [NC]

RewriteRule ^(.*)$ http://www.pleasegoawayandnevercomebackagain.com [R=301,L]

RewriteEngine On

RewriteCond %{REQUEST_METHOD} POST

RewriteCond %{REQUEST_URI} ^/$

RewriteRule ^(.*)$ http://www.pleasegoawayandnevercomebackagain.com [R=301,L]

In addition to the above and on further investigation. The following rule DOES work:

RewriteEngine On

RewriteCond %{QUERY_STRING} !.*test.* [NC]

RewriteRule ^(.*)$ http://%{REMOTE_ADDR} [F]

The difference here is I'm checking for a negative match on the query string value. This means every page is forbidden except for those with test in the query string. Do you have any idea why a negative match works but a positive search does not? Is it a syntax issue or something to do with searching positive values in htaccess Rewrite Conditions?

Answer 1

If you replace QUERY_STRING in the code above with THE_REQUEST then this works fine and does exactly as required within WordPress.

Answer 2

Some ideas that may help you:

1. Make sure you maintain # BEGIN WordPress and # END WordPress in your .htaccess file. place the rest on your rules above it

2. try installing the plugin: Better WP Security: http://wordpress.org/extend/plugins/better-wp-security/ - it's a life saver :)