This script I have been using and advocating lately was originally developed by jpeterson here at WHT. He done a great job and only one or two things were fixed from other developers here at WHT.
BARF is a script that will tail a domlog, check for multiple requests for the specified get requests and ban violators. It works great however you pretty much have to sit and watch it and check in on it numerous times as the attackers become wise and change their get request.
What I am shooting for is for this script to run on a certain domain/domlog and detect ANY repetitive GET that violates my defined restriction parameters.
For example as of now in it's current state. if a site is under attack I would go in and tail the domlog to find the request being used. Suppose the bots are doing "GET / HTTP/1.1" I would go in, make "GET / HTTP/1.1"a screen and enter:
barf site.com -n 2 -t 4 -s "GET / HTTP/1.1"
This will ban any attacking bot that makes that request 2 or more times in a 4 second period. Sometimes however I am not so sure about the time thing on the script as most of the time when I execute the command it starts banning ips immediately. Unless somehow it was checking timestamps perhaps? Im no coder so I am not sure.
What i would like to have now would be me going in, tailing the attacked domain's domlog and then executing:
barf domain.com -n 3 -t 6
to ban any ip making any repetitive get in the specified time and number to be banned.
It would be impossible to run this script server wide I know. Even though its very light on resources it would be a LOt of tailing and parsing to check them all unless I had one single access_log which just isnt that way with control panel servers like cpanel and directadmin.
So if anyone is a perl pro here and can offer some help it would be much appreciated. As of now I am pretty much relying on the solicitation for developers to help for free as this script is very useful for lots of people since GET attacks have became so rampant in past years due to declining size of botnets that entry level bot kiddies have. And it does happen to do quite a bit of damage and resource exhaustion on any dynamic site regardless of basic ddos securities.
Thanks to all who will help. I will add your name in the script changelog for any useful fix or modification you do.