I’ve been fighting off hackers to MT.Net for several years now. My traditional way of doing this has been to manually flag the IP address of the attacker and add it to a block list. This used to be very effective, but then attackers began enlisting bot networks with dozens of IPs per attack. It because impossible to block them all without making it a full-time job.
About three years ago I implemented adaptive firewall rules which will track URL requests and only allow a certain number of those requests before blocking further ones. I blogged about their success and then … promptly stopped using it for some reason!
Today I noticed I was no longer using these amazing rules and promptly put them back into place. Like magic, the huge load I had seen on my webserver promptly disappeared. Now it doesn’t matter how many IPs an attack originates from, it will be blocked! That IP will not be able to launch any further attacks for 5 more minutes.
I love using smart approaches to problems. Just wish I remembered to keep them around next time!