Solved Any way to stop these attacks which are eating bandwidth?

Yes, but they are on their own vps or dedi, not on shared hosting. Cloudflare is no option for shared hosting.
And I've already checked douzens of ip's which unfortunately came all over the world not mainly from Brazil, also for example from US datacenters.

However, I managed to find a good block myself. Because I guess these are all infected pc's. And all were using old Chrome versions as I mentioned before. So I now block everything below Chrome 119 and their fun is over.
It rained 403's for them wil normal users with up to date browsers had no problems logging in. The bandwidth eating is over now.
Hi Richard;
you should take care of blocking above Chrome/99.x versions
some googlebot using Chrome/99.0.4844.84 version check your logs first

we have a lot of Chrome/99.0.4844.84 versions in logs still googlebot using

like this

66.249.73.164 - - [21/Oct/2025:04:43:20 +0300] "GET /en HTTP/1.1" 200 8357 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

you can do it whit modsecurity

Add this too rule in your rules set in .conf file
and change the ID:123456 number

this will give error 406 if Chrome/xx versions
SecRule REQUEST_HEADERS:User-Agent "(Chrome/[0-9][0-9])" "deny,status:406,id:123456,nolog,msg:'Bad Chrome'"


this will allow if the user agent if exit in your whitelist.txt

SecRule REQUEST_HEADERS:User-Agent "@pmFromFile whitelist.txt" "allow,id:123456,nolog,ctl:ruleEngine=Off"


Creat a file whitelist.txt wher your rules edit .conf file
and add lines whitelist.txt

Googlebot
Google-InspectionTool
Googlebot-Image


and restart Apache



Regards
 
Yes it does. In the community version you can choose 3 free blocklists iirc. Or buy commercial ones of course.
But you can opt-out on sharing the banned ip's. But if you take no part in the community, you don't get the complete blocklists.

You can maintain your own blocklists if you want. On the cs engine a simple command can add a decision to block an ip, subnet, ASN (like the cloud customer asn's which brings instant peace) for any amount of time.
Like the cluster block function in csf but more client/server arch.
It's customisable in the sense that you can change config files or add your own ideas for a specific check. Or make a check more/less stricter.
@sysdev interesting setup! I had not heard of crowdsecurity before.

I found crowdsecurity is French so you being in NL might make your GDPR worries less? 😬

On my VPS I get regular "flood request attacks" from cloud consumer IPs which I sometimes add to csf.

Do you have some list of cloud consumers IPs/ASNs or do you just add them "on the go".
 
you should take care of blocking above Chrome/99.x versions
I know, the highest number which I've encountered in the logs was version 100. I'm blocking everything below version 115.
But I don't use mod_security.

@johannes I use this line in my .htaccess but it might get to my httpd-includes.conf with the other bad bots if other sites get attacked too.
Code:
BrowserMatchNoCase "Chrome\/\b(0*(?:[1-9][0-9]?|115))\b" bad_bot
Order deny,allow
Deny from env=bad_bot
This blocks every Chrome version below 115.
Seems this is not quite correct and blocks everything below 100, no matter if you have 115 there or not. But 100 is not used by bots as far as I could see and -is- used by Bingbot. So it should still be good.
I still don't quite understand how to correctly test these things with the regexp tester.

I thought this might also block Google bot, but seems Google is using a 141 version.
Code:
Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.7390.107 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
So seems we're fine with google.

Edit: adjustes regexp explanation.
 
Last edited:
I know this says it's solved, but I thought I would share this for PHP websites.

I use this code I wrote for my PHP website, along with user registration that requires an invitation code. On my shared host this solved it all.

No spam registrations or spam, no stolen resources for me; it gave me my website back.

PHP-SmartBlocker-1.2 https://github.com/AFFASocial/PHP-SmartBlocker-1.2

MIT License: Free to use, modify, and share. Yes, it is FREE and works on shared cPanel hosts, and I am sure it will work on others like Plesk Panel
I also coded it to work with Cloudflare.

The key is every connection must first solve a puzzle captcha, or they get nothing, and automated attacks, spammers, bots, etc. will never solve the puzzle captcha, and this will not register in your analytics or consume all your resources, memory, etc., and your site will eventually show; in time, they will all move on. Some won't, but just add those bad ones in the blocks.php file in the appropriate sections, and they just hit a wall they cannot pass.

Click farms assisted by human spammers are the only exception, as they can solve the puzzle captcha, but most will, after registration, change the IP before they post, and in those cases, they must solve the puzzle CAPTCHA again. Most of these spammers are paid pennies to register spam on your website, and eventually the time does not warrant them consuming the time to create the account only to be deleted; they get zero value. Eventually most will leave.

When I created that code, I was hit constantly with spam registrations. Once I implemented this, all the spam stopped with the exception of maybe 1 or 2 human-assisted registrations in 24 hours; that's 99% of all bad activity gone instantly.

In my case, on my website, I coded the site so registration requires an invitation code; no code, no entry, and that makes my site 100% free of any unwanted activity except real human people.

My website has been low-key and up since 5/2019, so I had 7 years of SPAM LOGS and tested in live production for the last 7 months.

All that bad activity was consuming my shared resources and slowing my website down and giving me inflated stats for fake users and hits to my site that actually harm your site's stats on sites like Google. With this code, it does not touch anything on your site unless it solves the puzzle captcha first. Nothing registers in GA Google Analytics until after it solves the puzzle captcha and that is 99% guaranteed to be a real human

Example of used resources
Opera Snapshot_2026-07-15_140607_chi209.greengeeks.net.png

I hope this will help many PHP websites; it did for me, and that's why I created it and am sharing it here.
 
Back
Top