Skip to Content
 

DoS or too much INVALID traffic

11 replies [Last post]
questccg
questccg's picture
Offline
Joined: 04/16/2011

Please be aware that as of today around 5:00 PM EST, I've found that the website has been behaving rather BADLY.

I don't know if this is a "Denial of Service" type of attack ... But it looks like we are getting a lot of INVALID "login attempts".

I tracked one of them down to a BOT that uses a LOT of bandwidth each and every month and have BLOCKED it's activity to the website.

But while this seemed to rectify the situation A BIT... There are adresses that I cannot resolve the HOSTNAME giving me an invalid IP or name which may be a part of a DoS attack.

Please be patient while I examine the traffic and the errors and see if there are any additional reasons for BOT or other IPs trying to access the website through invalid channels.

Many thanks.

questccg
questccg's picture
Offline
Joined: 04/16/2011
Also ...

I found another BOT which has been monopolizing time for over 1:30 (One hour and a Half) in terms of time spent asking for pages. I blocked that BOT as well because it looks to be taking up WAY TOO MUCH SERVER time.

I've found two (2) other culprits ATM. But both return invalid HOSTs... And so they may be related to Hacking or a DoS, not sure ATM.

I'm looking into matters further. For now, another MASSIVE HOG of a BOT has been disabled.

Keeping you all abreast of my findings.

Sincerely.

pelle
pelle's picture
Offline
Joined: 08/11/2008
Can't you block some

Can't you block some IP-ranges that the bots are using? Or set up something like fail2ban?

X3M
X3M's picture
Offline
Joined: 10/28/2013
When it happened

I did see this happening. I was in my nightshift.
I used my mobile, thought wifi didn't work.
Then I used the "fun" pc in our control room. I know it uses the same port.
Both mobile and that pc had trouble with only BGDF.
The rest worked.

So, I thought, maybe a company polacy got implemented on that internet too.
Went to the lab, that pc has its own port.
Same issue. But I could get in when you fixed 1 problem.
It was very slow. And I decided to wait and see.

"Good morning"

questccg
questccg's picture
Offline
Joined: 04/16/2011
I just BAN the BOT

pelle wrote:
Can't you block some IP-ranges that the bots are using? Or set up something like fail2ban?

It's much easier to just BAN the BOT ... Obviously once you know which one is acting up "badly". It was some kind of SEO BOT... Something NEW. Because I have a list of BOTs and how much bandwidth they take. This NEW BOT was unlike any of the others... Kept hammering the website with requests... That's why I thought it MIGHT be a "DoS" attack.

Anyhow two (2) BOTs with HUGE Bandwidth usage have been BANNED from crawling the website. This assumes that BOTH BOTs are "Good" BOTs and respect the instructions given to them.

Today the website seems BETTER ... But I will look into "yesterday's traffic" log to see the end results.

Cheers.

X3M
X3M's picture
Offline
Joined: 10/28/2013
Perhaps it is time

To consider a new forum.
Might as well get more options.

And as always, a discord server would do nice as well.
It has forums as well, these days.

questccg
questccg's picture
Offline
Joined: 04/16/2011
No worries...

I got some help from Matthew from "Black Oak Games" (Kudos Matthew!) and I was able to fix one of the primary errors for the website. It's got to do with some syntax which is different from PHP 5.3 and PHP 5.4 which we are currently on.

So there are a few areas where this is a PROBLEM... I will be trying out more areas of the website during this week and hopefully get all the cob-webs out of the way and have a much happier website.

Note that I'm still seeing a bunch of illegal attempts to LOGIN and to access pages reserved for users (like the login page and the registration page).

I'm still working on the known errors and trying to beef-up the solidity under PHP 5.4 ... So no worries ... Will be looking into that over the next few days.

Cheers all... And it's good that Drupal is written in PHP and I am familiar with PHP coding. I'm no PRO but I can Google and see examples of errors and see what need fixing (in comparison and understanding the nature of the error).

In this first case, I needed to use a "temporary variable" and pass that variable into the function as a PARAMETER. Nothing FANCY or COMPLICATED. Just a SYNTAX issue in 5.4.

Weird stuff like that SO FAR. Cheers!

Note #1: Fixed another complaining PHP File with the referencing error (similar: had to break it down again into a few vars).

Note #2: Fixed yet another PHP File with the SAME error. So the count is at "3" and everything looks to be good. The performance of the website seems to be operating better as well (response time).

I do have another PHP ERROR but it's more complicated ... I will research this tomorrow and see IF I can fix this error too. It's got to do with OOP and I'm not sure all the CODE is in ONE (1) File. TBD... Tomorrow.

questccg
questccg's picture
Offline
Joined: 04/16/2011
All it took was a BIT of "patience"

Looks like I SOLVED the remaining ERROR which was passing a variable by reference and the method it was overloading was NOT doing this. So basically a ampersand ("&") extra in the code which had to be removed ... And the LAST issue is SOLVED!

As always thank you for your patience as I navigate the FILES and ERRORS.

Yes there are still some "Hacker Bots" out-there that keep trying to do BS like instantiate objects or get access to the Re-captcha Module ... But for now I don't see ANY additional problems that need FIXING.

Hopefully the website will operate more SMOOTHLY now that the various issues have been all resolved one-at-a-time.

Cheers all.

Note #1: While browsing the website... I found yet ANOTHER Error of type #2 (OOP extra "&") and fixed it too. There may be more but for now I'll wait until tomorrow to do more site-wide checking.

questccg
questccg's picture
Offline
Joined: 04/16/2011
Found a 3rd BOT causing all kinds of login attempts

I disabled YET ANOTHER BOT! Looks like another BOT with the goal of stopping Plagiarism in Schools was BANGING the website with some Hacker-like attempts to do something not legal with BGDF.com.

Anyhow I added the BOT such that yet another BOT quiets down and stops banging BGDF.com.

Cheers.

questccg
questccg's picture
Offline
Joined: 04/16/2011
Error 406 - Not Acceptable

I also manage tonight to get another "3 Rules" to be whitelisted by Mod_Security Module in PHP. They've been fine-tuning and users of BGDF.com should be less and less trouble with general TYPING, SENTENCES, SYNTAX, PUNCTUATIONS, etc. So I was told that in one paragraph there were multiple Mod_Security violations.

All we're doing is typing in text and writing sentences... So Mod_Security is monitoring any attempt to compromise the security of BGDF.com.

Glad that my Hosting Company was able to HELP tonight!

Cheers and Kudos.

questccg
questccg's picture
Offline
Joined: 04/16/2011
Some additional areas that needed some fixing

In an administrative capacity one of the configuration modules uses arrays that are not always 'indexable'. This has been causing some error even though the DATABASE has default values for all these columns. So basically the code is NOT all that CLEAN but is failsafe-proof due to how the database table was built (with proper default values on all of the columns).

Will need to look into the error, I fixed 1/3 of the issues ... Need to fix a couple of the other array indexes which are also not returning anything.

I will look into this tomorrow afternoon.

That's it from me tonight... I will check-back as I FIXED a TON of errors in the array indexing for one specific module (BLOCKS). Cheers!

questccg
questccg's picture
Offline
Joined: 04/16/2011
I finally contacted Semrush about their BOT

And basically what they told me was to "disable" another BOT that is used for SEO and Technical crawling. I've added the instructions to the "Robots.txt" file and await to see if this BAD BEHAVING Bot is finally instructed to STOP "Banging" on BGDF.com every couple of minutes with about 25 hits per shot...

Again I'll see if this FIXES the problem or not!

Syndicate content


forum | by Dr. Radut