Block HTTP 1.0 with nginx

My server is under a heavy attack. Most requests are coming this way:

46.43.84.214 - - [15/May/2012:11:21:45 +0400] "GET / HTTP/1.0" 200 65859 "2r4k68998q24ay.ru" "Mozilla/4.0 (compatible; MSIE 4.01; Vonna.com b o t)"

The HTTP protocol version is same for all such requests. Can I block HTTP 1.0 requests on a web server level somehow? I have tried this to eliminate the attack (redirect to an empty file):

if ($server_protocol ~* "HTTP/1.0") {
    rewrite ^/ http://example.com/white.txt;
}

Does not seem to help much, I don't see any such redirects in the logs. I use nginx 1.0.9 as a reverse proxy with Apache 2.2.3.

Any help is appreciated.

Solution 1:

You could use something like this

if ($http_user_agent ~* "Vonna.com" ) {
    return 444;
} 

444 will close the connection without returning anything, assuring the lowest possible impact. Though if you want to inform possible legitimate users, use something like 400 perhaps.

Additionally, perhaps block by referrer, though most bots will easily spoof that too.

As far as blocking entire HTTP 1.0 is concerned, you should check this first. If you'd still like to implement the block as a temporary solution, something like this should work.

if ($server_protocol ~* "HTTP/1.0") {
    return 444;
} 

Basically the same thing you had, except with no rewrite - if I'm reading it right, your usage made it just stay in a permanent loop.

Solution 2:

This worked for me with Nginx 1.8.

if ($server_protocol = HTTP/1.0) {
    return 444;
}

My reason for doing it was different. The Qualys Threat Report detected CVE-2000-0649, "allows remote attackers to obtain the internal IP address of the server via an HTTP 1.0 request", on my server. I have the liberty of doing this because our site only supports limited browsers.

Solution 3:

Use the right variable: $server_protocol instead of $http_user_agent.