Hi Bill, the classical way would be to have a reverse proxy in front of the application that catches such cases. A decent reverse proxy or even application firewall router will allow you to define limits on bandwidth and sessions per time unit. Some even recognize specific denial-of-service patterns.
Of course, you could also simply limit the ranges of parameters accepted over the Internet - unless these wild ranges may actually occur in valid scenarios. A bit more complex is the third alternative that requires valid sessions and permits paging only in one or the other direction. This way, start and offset values would not be exposed, only functions for next page/previous page or maybe some larger steps would be supported. Stepping to one offset would also only be permitted if you come from a proper previous page. Initial requests (in new sessions) would have to start at offset 1. Constraints on the parameters in subsequent requests within a session are a bit harder to handle. Cheers, --Jürgen On 21.09.2015 19:28, William Bell wrote: > We have some Denial of service attacks on our web site. SOLR threads are > going crazy. > > Basically someone is hitting start=150000 + and rows=20. The start is crazy > large. > > And then they jump around. start=150000 then start=213030 etc. > > Any ideas for how to stop this besides blocking these IPs? > > Sometimes it is Google doing it even though these search results are set > with No-index and No-Follow on these pages. > > Thoughts? Ideas? > > Thanks > Mit freundlichen Grüßen/Kind regards/Cordialement vôtre/Atentamente/С уважением *i.A. Jürgen Wagner* Head of Competence Center "Intelligence" & Senior Cloud Consultant DevoteThem GmbH, Industriestr. 3, 70565 Stuttgart, Germany Phone: +49 6151 868-8725, Fax: +49 711 13353-53, Mobile: +49 171 864 1543 E-Mail: juergen.wag...@devoteam.com <mailto:juergen.wag...@devoteam.com>, URL: www.devoteam.de <http://www.devoteam.de/> ------------------------------------------------------------------------ Managing Board: Jürgen Hatzipantelis (CEO) Address of Record: 64331 Weiterstadt, Germany; Commercial Register: Amtsgericht Darmstadt HRB 6450; Tax Number: DE 172 993 071
