Hello.
I get a lot of trafic from amazon IPs and with PHP I can see that IP hostname is like:
So I tried to trigger a captcha if host contains .amazonaws.com but it doesn’t seem to match.
(http.host contains “.amazonaws.com”)
Isn’t that “host” rule what I think it is ?
The host refers to the hostname sent along, which will be your domain.
You will need to block by IP or ASN.
It looks like the amazon IPs I see use AS14618, do you know if this usually contains all EC instances ? Or it is more like an IP class and they have many ASXXXXX ?
Thanks.
That ASN does belong to Amazon. If it is the only one you are getting requests from it should be okay to either block or - maybe better - captcha challenge it.
There is another ASN where I get requests from -> 16509
Yes, I set it to captcha challenge. They make many downloads on the site.
The ~30 recent download abusers I found were using AS14618, I will keep an eye to see different ones showing up (like AS16509).
Thanks.
I added a feature request to block/manage by IP hostname matches:
(Maybe someone that needs this^ would reach this topic).