You have several options.
First, we always recommend that attack-prone sites minimize their attack profile by consciously examining the use of large files. One good example of this is using graphics compression to make images smaller, or to evaluate whether that one graphic really needs a 24 megapixel click-to-zoom version.
These steps are primarily useful if your site is attacked by a large number of different addresses, or if the addresses used change rapidly. (It's also a good way to save money and ensure a fast-loading site in the far more common not-being-attacked case, including high-usage periods like getting mentioned on Reddit.)
Second, you can edit your site's IP access controls. This is the most efficient way to block access to your site in that it will have the least performance impact on legitimate visitors. However, our system IP access controls are general purpose and not specifically designed for abuse. Therefore they return a small error message to visitors, and that still takes up some bandwidth; an attacker blocked by our IP access controls would have to hit your site about 820,000 times to use a gigabyte of bandwidth.
If you're sure someone is attempting to waste bandwidth, there is a third option you can use to eliminate as much of the response as you can. Take the following steps:
- Create a zero-length file called "no" in your site's public directory. (E.g. touch /home/public/no from the ssh server.) Do not skip this step!
- Add the following to your .htaccess file (replace 1.2.3.4 with the IP address to block):
RewriteEngine on RewriteCond %{HTTP:X-Forwarded-For} 1.2.3.4 RewriteCond %{REQUEST_URI} !=/no RewriteRule .* /no [L]
Affected visitors will receive an empty "OK" response. This still includes HTTP headers, but that's all. An attacker blocked by this would have to hit your site about 3,600,000 times to use even one gigabyte of bandwidth.
There is a variant of this that saves slightly more bandwidth and may fool would-be attackers into thinking they have succeeded in taking your site down. However, it carries an additional risk: It bends the HTTP standard, and if you do not set the IP address properly, search engines who see this response will also think your site is gone and remove references to it. The code for .htaccess is (again replacing 1.2.3.4 with the IP address to block):
# Do not put this in your .htaccess unless you have read the warning above.
RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-For} 1.2.3.4
RewriteRule .* . [L,G]
ErrorDocument 410 "."
This returns an HTTP "410 Gone" response and one byte of content. This has the side effect of eliminating some HTTP headers. As a result, an attacker blocked by this would have to hit your site about 4,600,000 times to use up a gigabyte of bandwidth.
If you need to block more than one IP address using the latter two techniques, combine them as in the following example:
RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-For} 1.2.3.4 [OR]
RewriteCond %{HTTP:X-Forwarded-For} 5.6.7.8 [OR]
RewriteCond %{HTTP:X-Forwarded-For} 9.10.11.12
RewriteCond %{REQUEST_URI} !=/no
RewriteRule .* /no [L]
While the only way to completely protect your site from all Internet attacks is not to put it on the Internet, we hope these options will help you defend yourself in the unlikely event that your site falls victim to a bandwidth-wasting attack.