Any way to stop these attacks which are eating bandwidth?

[Richard G]

Seem some sites on our servers are under attack in some way. Don't know exactly what they are doing but it's eating up bandwith of the users, while it looks as they are just requesting content.
Recently I used a bad bot blocker in the httpd-includes.conf file and things got fairly quiet.

Now they are using loads of ip's with old Chrome versions to do a lot of requests.

There are a couple of things which do catch the eye.
First of all, almost all of them are from Macintosh OS X all kind of 10.x versions in the log line and old Chrome versions are used like this:

189.6.12.85 - - [19/Oct/2025:00:47:34 +0200] "GET http://www.some-website.nl/forum/viewtopic.php?p=964374&sid=d6db3f0bd6a3ff92e823afeebaffb819 HTTP/1.1" 200 8328 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36"
200.181.149.72 - - [19/Oct/2025:00:47:34 +0200] "GET http://www.some-website.nl/forum/viewforum.php?f=157&sid=deb313a2da7fdd7c0cacea1c13669ba5 HTTP/1.1" 301 311 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/537.36 (KHTML, like Gecko, Mediapartners-Google) Chrome/87.0.4280.90 Safari/537.36"

Blocking these ip's has no use as there are douzens of different ip's doing this. And it's causing high load too now.
Is there a simple way to block everything below for example version 110 of Chrome or maybe a better way to block this behaviour?

It's just plain crazy, look at this, the phpbb forum stats:

In total there are 17082 users online :: 4 registered, 1 hidden and 17077 guests (based on users active over the past 15 minutes)

 

[Erulezz]

phpBB is really annoying to combat bots, because of the session id that is in the URL. Because of that stupid bots think every pageview is a new page. Topics back in the phpBB forum goes back > 10 years with this issue. I remember this was discussed a few months ago, but the only way I found is fix is to put Cloudflare proxy on with bot protection + block Asia region. I saw in the stats that >50.000+ requests were blocked every hour. This went on for a few hours when finally it calmed down.

 

[Richard G]

but the only way I found is fix is to put Cloudflare proxy on with bot protection + block Asia region.

Well... unfortunately there are a few problems here. To be able to use Cloudflare proxy we would have to move the domain namesevers to Cloudflare which I don't like.
The other things is that the ip's are not only Asian.

But there might be another way.
At this moment I'm blocking old Chrome clients to they are receiving a 403 continuously, but I'm doing it in the .htaccess at the moment and am considering to move it to the httpd-includes.conf which I also use for other bad bots.
I don't know if that is better or not than .htaccess.
But I have to make it better. As for now it's about 7K less, but still some Chrome 6 and other Chrome 8 versions are able to pass.

This is the code I used, probably not optimal, found it on internet:

BrowserMatchNoCase "Chrome/(8[789]|9\d)\." bad_bot
Order deny,allow
Deny from env=bad_bot

So most of them are getting a 403 now, but a lot still pass like these:
Chrome/82.0.4078.2
Chrome/79.0.3945.130
Chrome/62.0.3202.94

So the 62 I understand, but the 82 and 79 I don't understand as I thought this blocks every 7* and 8* version. And odd thing is that 88 is in fact blocked, but 82 is not.

I would like to block every Chrome below 120 if possible.
Or do it the other way around and block all chrome, but only allow above 120.

I could use this (if that is correct) to block all Chrome versions:

BrowserMatchNoCase "Chrome/" bad_bots

but then I don't know how to only allow versions 120 and higher.

 

[sysdev]

I use crowdsecurity to analyse weblogs and this blocks about 15k+ ips from botnets based on community blocklists.

And when our monitoring still sees a too high load it runs a script to count all crap in the logfiles (403/403/50x per ip, number of requests, many sensitive urls like phpmyadmin/wp-admin etc) of the last 15 minutes and just blocks the top 20 with csf for 5 minutes. If they get above some threshold.

A bit blunt but it works.

 

[Richard G]

That might be a good idea too indeed.
But if somebody could give the correct line to block everything below 120 I should be fine for the moment and then I'm going to have a look at crowdsecurity this week. Seems interesting.

 

[sysdev]

<RequireAll>
Require all granted
# Matcht Chrome/0..119
Require not expr "%{HTTP_USER_AGENT} =~ /Chrome\/(?:\d|[1-9]\d|1[01]\d)/i"
</RequireAll>

or

RewriteEngine On
# Matcht Chrome/0..119
RewriteCond %{HTTP_USER_AGENT} "(?:^| )Chrome/(?:\d|[1-9]\d|1[01]\d)" [NC]
RewriteRule ^ - [F]

Same but allowing brave, opera, that windows thing.:

<RequireAll>
Require all granted
Require not expr "%{HTTP_USER_AGENT} =~ /Chrome\/(?:\d|[1-9]\d|1[01]\d)/i && %{HTTP_USER_AGENT} !~ /(Edg|OPR|OPiOS|Brave)/i"
</RequireAll>

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} "(?:^| )Chrome/(?:\d|[1-9]\d|1[01]\d)" [NC]
RewriteCond %{HTTP_USER_AGENT} !(Edg|OPR|OPiOS|Brave) [NC]
RewriteRule ^ - [F]

Fiddle around with it, some might work.

 

[Richard G]

Ehmz.. thank you. but can I also use that in my system somehow?

BrowserMatchNoCase "Chrome/(8[789]|9\d)\." bad_bot

So could I use this then?
BrowserMatchNoCase "(?:^| )Chrome/(?:\d|[1-9]\d|1[01]\d)" bad_bot
or does it need to be like this?
BrowserMatchNoCase "Chrome/(?:\d|[1-9]\d|1[01]\d)" bad_bot?

Ah well... I will just test it, thank you!

Edit: don't work. I will try some further regexp testing (really hate that stuff... LoL).