10

This is a first for me. One of the sites I run was recently attacked. Not at all an intelligent attack - pure brute force - hit every page and every non-page with every extension possible. Posted with garbage data to every form and tried to post to some random urls too. All tod, 16000 requests in one hour.

What should I do to prevent/alert this kind of behavior? Is there a way to limit the request/hr for a given ip/client?

Is there a place I should be reporting the user to? They appear to be from China and did leave what seems like a valid e-mail.

chrishomer
  • 297
  • 1
  • 3
  • 8
  • @Luke - This is really a mix between configuration and coding practices. –  May 08 '10 at 16:17
  • Where they appear to be from, and the email they gave you, are unlikely to be...useful (read: real) pieces of information. :) (Also voting to move to serverfault; good luck!) – T.J. Crowder May 08 '10 at 16:17

5 Answers5

4

What type of software are you running on your site? Are these comment fields custom built, or some popular software package? Most popular packages have plugins to help defeat (known) spambots. If it's custom built, adding a CAPTCHA would definitely help cut down on spam.

Furthermore, if you know the "user's" IP, block it from your site (if you have that ability) and report it to your webhost (assuming you are hosted by a remote company.) Your host will (read: should) be glad to block 16,000 extra requests. Especially if you're on a shared host, as it may impact the performance of their other customers.

Robbie
  • 141
  • 3
1

first, try to find out what they did. Did they manage to inject code or SQL? Did they modify your DB? This they get access to data to which they shouldn't have access?

Your descriptions sound like they did only some random "attacks" without doing real harm. In that case, try to set up a defense for those attacks against which you where not secured yet. So arm your forum with some captchas.

Prevent: captchas can help. There are also tools which check your website agains some security problems. You may want to use such a tool.

Alert/Limit: depends on the environment and your hoster. You can always add an IP check to your pages and simply return an access denied for specific IPs, but a) I guess the IP will not be fixed and next time, someone innocent will get the IP and b) are there often several users behind one IP (company proxies). So blocking an IP doesn't seem to be a good idea.

rdmueller
  • 121
  • 4
1

If you're using linux, 'iptables' allows you great freedom in choosing a policy for throttling new connections from IP addresses or IP address ranges. Try:

iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 120/minute -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
Charles Stewart
  • 650
  • 6
  • 19
0

I do think block the IP is a good idea. Captcha may prevent spam but 16000 requests per hour increase server load a lot.

If the attack originated from a limited range of IP then i would just simply block all of them in iptables. Then unblock them a week later.

Lamnk
  • 1,095
  • 3
  • 11
  • 17
0

If you don't have it already ensure your site is logging IPs. You can do a free IP WHOIS at www.dnstuff.com to see where IANA thinks the IP Address originates. In many cases it also provides the registrar or ISP for the IP Address and you can contact them directly to report it.

Obviously you can temporarily block the IP Address, the only problem with that is so many ISPs utilize DHCP addresses that even though the attacker has that IP today it could be different tomorrow and more importantly a legit user may get the blocked IP.

Where is your site hosted? If the attack took place within a period of time, say 10 minutes it should have triggered a DDOS alarm somewhere since the normal volume of the site is probably not that many requests in that short of a time period. Devices like Barracuda makes are designed to essentially block those requests when they come in too fast. IIS also have a similar feature where if too many requests arrive at the same time it will think it is being attacked, and in many cases will dump the connections. Many SharePoint search installations have this problem because the search indexer reqeuests a lot of stuff very quickly.

Hopefully this helps a bit or gives you some ideas as to what to look at. You can add CAPTCHA and other stuff to the site, but in the end attacks like this come down to TCP/IP and devices to recognize an attack and prevent or kill it, your website can only do so much to protect itself.

Brent Pabst
  • 6,069
  • 2
  • 24
  • 36