This is an automated archive made by the Lemmit Bot.
The original was posted on /r/selfhosted by /u/LogicMedia on 2025-02-18 17:19:30+00:00.
Hello. I host a small website that has been subjected to a DDoS since around May of 2022. The bad requests are easy to identify - they all hit the same file, and they all have a UA that starts out with "Dalvik/2.1.0 (Linux; U; Android....."
There are somewhere between 250,000 and 600,000 hits per day. They never really stop, but sometimes it's one or two a second, and sometimes it's close to 100.
I changed that one image to be a zero-byte file. My thinking was that if I just erase it, maybe "they" will notice and pick a different one. ๐
The best I've come up with is grabbing the last few days of IP addresses, sorting them by how often they hit, and blocking the worst offenders. Sometimes I get lucky and it's obvious an entire /24 or even /16 can be blocked, but there is a very, very long tail of IPs that hit once.
Any suggestions? This box happens to be at Linode (now Akamai). This is over https, if that matters.
Here are a few samples from the apache logs:
188.152.24.12 - - [18/Feb/2025:12:03:42 -0500] "GET /images/rotator-1.jpg HTTP/1.1" 200 - "-" "Dalvik/2.1.0 (Linux; U; Android 14; CRT-NX1 Build/HONORCRT-N31)" 0 www.example.com
5.193.115.244 - - [18/Feb/2025:12:03:42 -0500] "GET /images/rotator-1.jpg HTTP/1.1" 200 - "-" "Dalvik/2.1.0 (Linux; U; Android 11; TECNO BD2p Build/RP1A.201005.001)" 0 www.example.com
5.88.67.227 - - [18/Feb/2025:12:03:42 -0500] "GET /images/rotator-1.jpg HTTP/1.1" 200 - "-" "Dalvik/2.1.0 (Linux; U; Android 12; SM-A315G Build/SP1A.210812.016)" 0 www.example.com
196.96.140.21 - - [18/Feb/2025:12:03:42 -0500] "GET /images/rotator-1.jpg HTTP/1.1" 200 - "-" "Dalvik/2.1.0 (Linux; U; Android 10; Infinix X657 Build/QP1A.190711.020)" 0 www.example.com