Frequently Asked Questions

The NearlyFreeSpeech.NET FAQ (*)

Troubleshooting (*)

How should I describe problems I'm seeking help with?

Why can't I delete or change the permissions of these files my web application created?

If I have a directory called example, why can't I refer to it as /example?

Why does my site keep redirecting to the wrong alias?

What does it mean that a site "has temporarily exceeded its connection limit?"

I can't access my site at all. What should I check first?

What do I do if someone is trying to waste my site's bandwidth?

You have several options.

First, we always recommend that attack-prone sites minimize their attack profile by consciously examining the use of large files. One good example of this is using graphics compression to make images smaller, or to evaluate whether that one graphic really needs a 24 megapixel click-to-zoom version.

These steps are primarily useful if your site is attacked by a large number of different addresses, or if the addresses used change rapidly. (It's also a good way to save money and ensure a fast-loading site in the far more common not-being-attacked case, including high-usage periods like getting mentioned on Reddit.)

Second, you can edit your site's IP access controls. This is the most efficient way to block access to your site in that it will have the least performance impact on legitimate visitors. However, our system IP access controls are general purpose and not specifically designed for abuse. Therefore they return a small error message to visitors, and that still takes up some bandwidth; an attacker blocked by our IP access controls would have to hit your site about 820,000 times to use a gigabyte of bandwidth.

If you're sure someone is attempting to waste bandwidth, there is a third option you can use to eliminate as much of the response as you can. Take the following steps:

  1. Create a zero-length file called "no" in your site's public directory. (E.g. touch /home/public/no from the ssh server.) Do not skip this step!
  2. Add the following to your .htaccess file (replace 1.2.3.4 with the IP address to block):
    RewriteEngine on
    RewriteCond %{REMOTE_ADDR} 1.2.3.4
    RewriteCond %{REQUEST_URI} !=/no
    RewriteRule .* /no [L]
    

Affected visitors will receive an empty "OK" response. This still includes HTTP headers, but that's all. An attacker blocked by this would have to hit your site about 3,600,000 times to use even one gigabyte of bandwidth.

There is a variant of this that saves slightly more bandwidth and may fool would-be attackers into thinking they have succeeded in taking your site down. However, it carries an additional risk: It bends the HTTP standard, and if you do not set the IP address properly, search engines who see this response will also think your site is gone and remove references to it. The code for .htaccess is (again replacing 1.2.3.4 with the IP address to block):

# Do not put this in your .htaccess unless you have read the warning above.
RewriteEngine on
RewriteCond %{REMOTE_ADDR} 1.2.3.4
RewriteRule .* . [L,G]
ErrorDocument 410 "."

This returns an HTTP "410 Gone" response and one byte of content. This has the side effect of eliminating some HTTP headers. As a result, an attacker blocked by this would have to hit your site about 4,600,000 times to use up a gigabyte of bandwidth.

If you need to block more than one IP address using the latter two techniques, combine them as in the following example:

RewriteEngine on
RewriteCond %{REMOTE_ADDR} 1.2.3.4 [OR]
RewriteCond %{REMOTE_ADDR} 5.6.7.8 [OR]
RewriteCond %{REMOTE_ADDR} 9.10.11.12
RewriteCond %{REQUEST_URI} !=/no
RewriteRule .* /no [L]

While the only way to completely protect your site from all Internet attacks is not to put it on the Internet, we hope these options will help you defend yourself in the unlikely event that your site falls victim to a bandwidth-wasting attack.

Why shouldn't I refer to my site as "example.com" in the forum?

Why does your credit card form say my address (or zip) "failed validation" even though I know it is correct?

Why do I sometimes receive an "Access Denied" error when visiting my site?

Why am I getting a "premature end of script headers" error when I try to run a script?

Why doesn't my .htaccess file work with Apache 2.4?

Why do I get "The requested URI could not be accessed" when logging in to the control panel of my WordPress site?

Why is there a tiny bug icon on a page in the member interface?

Why is my WordPress site asking for FTP credentials?