We're receiving a DDOS attack from a specific range of IPs (192.168.0-255.0-255). In our htaccess file we've attempted to forward their requests to a static HTML file but only half the requests are being blocked. Does anyone see why that would be?
RewriteCond %{REMOTE_ADDR} ^(10\.0\.0\.1|192\.168\.[0-9]{0,3}\.[0-9]{0,3})$
RewriteCond %{REQUEST_URI} [^/etc/blocked_ip.html]
RewriteRule ^(.*)$ /etc/blocked_ip.html [R=301,L]
and our access logs show:
2014-06-27 11:59:03 192.168.20.232 - 1.2.3.4 443 GET /etc/blocked_ip.html ?
2014-06-27 11:59:08 192.168.20.231 - 1.2.3.4 443 GET /video/832
Note: I've substituted the actual IP ranges with private ranges.
Thanks for any suggestions.
Actually your rewrite condition is incorrect:
RewriteCond %{REQUEST_URI} [^/etc/blocked_ip.html]
Probably you meant:
RewriteCond %{REQUEST_URI} !^/etc/blocked_ip\.html
You rule can be shortened to:
RewriteCond %{REMOTE_ADDR} ^(10\.0\.0\.1|192\.168\.[0-9]{1,3}\.[0-9]{1,3})$
RewriteRule !^etc/blocked_ip\.html$ /etc/blocked_ip.html [R=301,L,NC]
Also make sure this is your very first rule in your .htaccess.