An Example of Bad Referrer Traffic and How to Block it Using ModRewrite and IPTables

Getting these on one of my web servers on an almost daily basis:

114.232.243.86 - - [01/Sep/2014:09:51:34 -0400] "GET http://hotel.qunar.com/render/hoteldiv.jsp?&__jscallback=XQScript_4 HTTP/1.1" 404 15 "http://hotel.qunar.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36"

The traffic comes from all sorts of different IPs that are owned by China Telecom. 114.232.243.86, 114.231.42.219, 222.209.137.232, 222.209.152.192, 118.113.227.95.

The host I am seeing this on does not need to speak to anyone or anything in China, so I used IPTables to filter the entire netblocks I see hits from. Here is an example of a filtering rule along with a little note for myself. Notice that this rule assumes two nonstandard chains - BLACKLIST and LOGDROP - that I use to organize my ruleset.

-A BLACKLIST -s 114.224.0.0/12 -m comment --comment "Chinanet Hotel Qunar Referrer" -j LOGDROP

Because I'm not sure which IP the next connection will come from, but all of the connections rely on the hostname hotel.qunar.com, I also set up a RewriteMap in Apache for that hostname. RewriteMap directives have to be added at the virtualhost or server level - they can't be placed within an .htaccess file. So I added the following to an Apache Conf include file (again to keep things organized):

##
## Bad Referrer Deflection via RewriteMap
##
RewriteEngine on
RewriteMap deflector txt:/$PATHTOFILE/deflector.map
RewriteCond %{HTTP_REFERER} !=""
RewriteCond ${deflector:%{HTTP_REFERER}} =-
RewriteRule ^ %{HTTP_REFERER} [R,L]
RewriteCond %{HTTP_REFERER} !=""
RewriteCond ${deflector:%{HTTP_REFERER}|NOT-FOUND} !=NOT-FOUND
RewriteRule ^.* ${deflector:%{HTTP_REFERER}} [R,L]

While my deflector.map file looks like this (make sure that the file has permissions necessary for Apache to read it): 


##
## deflector.map
##
http://hotel.qunar.com -

The "-" after the bad hostname is a directive that tells Apache where to send the connection. "-" tells the referrer to connect back to itself. However you can send the traffic to a page informing the scanner that you know what they are up to if you are feeling confrontational (and don't mind the additional load).

Your deflector.map doesn't have to be a text file. Using a dbm hash file is both possible and considerably faster. Read more about the RewriteMap directive at the Apache project website.