I'm working with an apache 2.2 server that is receiving lots of requests for content that does not exist on the server (edit: the specific content request changes frequently). It appears to be an attack from someone with access to a large number of hacked websites, because the requests are from vastly different sources and they all started at one time. They are also probing the server for common vulnerabilities like /admin.php etc peppered throughout the attack.
Example from the access logs:
"Get /picofperson.jpg HTTP/1.1" 404 201 "http://www.somerealwebsiteaddress.com/regular/13/3.html" "Mozilla/3.0 (Windows NT 6.3; WOW)"
Question: What is a good way to mitigate this type of attack and does this type of attack have a formal name besides ddos?
I'm currently blocking unusual user agents and requests from specific referrers, but the attack continues to morph.
You didn't mention what web server you are using - please add this information.
If it is apache, you can use the module mod_evasive, which is designed for coping with distributed denial of service attacks (ddos attacks).
It offers the possibility to block access automatically for ip addresses that are accessing the same URLs over and over again, depending on various configurable parameters.
See here for a short overview: http://www.zdziarski.com/blog/?page_id=442
This is an example configuration: https://www.linode.com/docs/websites/apache-tips-and-tricks/modevasive-on-apache
And here are some hints for use with fail2ban: http://briansnelson.com/Howto_install_mod_evasive_with_fail2ban
You should be careful about outlocking legal clients that show a ddos-like behavior, like scripts regularly accessing the server for some checks or similar (those can be whitelisted).