You are here

DDOS attack from botnet "Miner"

"Miner" botnet

Germany's "Bundesamt für Sicherheit in der Informationstechnik (BSI)" released a warning "BSI IT-Sicherheitswarnung 22/2011, DDoS-Angriffe auf deutsche Webseiten" on September 8th 2011. This document describes new activities by botnet "Miner", which tries to attack and tear down German Web applications.


It is best to block recognizable requests. This can be done by configuring the Web application appropriately. A better way is to use a Web Application Firewall (like Airlock) to separate security tasks from business functionality.

With Airlock, follow this procedure:

  • Log in to the Airlock Configuration Center
  • Go to "Expert Settings" - "Security Gateway"
  • Search for "AuthproxyFilterDenyHeaderRegex"
  • If you do not find an entry, insert the following line:

SecurityGateway * AuthproxyFilterDenyHeaderRegex.3 "^Accept-Language:[[:space:]]*ru"

  • If you do find an entry, follow this procedure, else activate and you are done.
  • Note the highest index, e.g. "3"
  • If the value for this index is not "_undefined_", increment the index by 1 and add following line:

SecurityGateway * AuthproxyFilterDenyHeaderRegex.<new index> "^Accept-Language:[[:space:]]*ru"

  • Activate and you are done.

This will prevent all requests with HTTP header "Accept-Language: ru" from reaching the back-end application.

This configuration potentially prevents users based in Russia from reaching the back-end application.

Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Airlock protects, requires changes in configuration