1

About two months ago a site of mine started getting some sort of attack, and after further investigation I found it to be botnet zombies and something else which I can't figure out.

My site is not ecommerce, wasn't popular and has nothing that anyone would want. In google analytics, it went from 800-1000 visits/day to 100k plus/day.

The first round of attacks stopped, and when it did it stopped gradually. So it went from 100k-50k-30k-10k-5k-1k/day and finally back to normal. The strange part is that it is so spread out that it would be impossibly to block the IP's as there are thousands upon thousands. 90% is from the U.S., and its all coming from users with Internet Explorer, versions 6, 7, 8. There are absolutely no similarities in IP blocks that would stand out.

It started again about 3 weeks later and this time stayed extremely steady. I started using Cloudflare Pro in order to route the traffic through their DNS and be able to see the attacks and what they were doing more simply.

I blocked all countries in which attacks were coming from besides the U.S., since its my audience.

I'm totally lost as to why this immense amount of U.S. traffic that looks real continues to come to my site. The average time on site is 8-10 seconds, but I filter out bounce visits and the average time is 2 minutes+ from the mystery traffic. I've contacted my hosting provider many times and they have worked with me a great deal to try and figure this out, and they can't either.

Bottom line is the traffic looks real, but its not. Any help or advice would be greatly appreciated.

Tom O'Connor
  • 27,480
  • 10
  • 73
  • 148
Bernard
  • 19
  • 1
  • 1
    The site is on its own box and since my host can't figure it out I figured I would ask here. – Bernard Jul 22 '11 at 16:13
  • No point for being rude. I misspelled it - It is called [Departement for Homeland Security](http://www.dhs.gov/files/reportincidents/cybersecurity.shtm). This is something that needs to be done in the internet backbone. – Nils Jul 22 '11 at 20:08
  • Still out there? Did you contact the proper authorities about this yet? – Nils Aug 05 '11 at 20:13

1 Answers1

0

You might consider getting a new IP assignment, that may help, if the attacks are targeted at the IP and possibly someone who may have had the assignment prior to you.

Also, if you are on a shared hosting platform, it may not even be targeted at you specifically - maybe its towards a neighbor on the same system?

user48838
  • 7,431
  • 2
  • 18
  • 14
  • I got brand new IP's ordered/changed and its on a dedicated box. The new IP's did nothing. – Bernard Jul 22 '11 at 16:12
  • Any chance the new IPs are on a similar block as the original IP? Any patterns whatsoever from the access logging? – user48838 Jul 22 '11 at 17:14
  • I doubt bot-nets target IPs. They propably target name-patterns. – Nils Jul 22 '11 at 20:38
  • Hmmm... Is that a statement from experience or firsthand information? – user48838 Jul 23 '11 at 03:17
  • Let`s call it an educated guess. Imagine you were running a bot-net. Now you want to drive a DOS against some major site. It will not help blocking a single IP, since these sites normally use DNS-RR for a lot of servers. So instead you have to target the NAME of the site. Your 300+ bot-net-servers will hammer all IPs associated with that name that way. – Nils Aug 05 '11 at 20:10
  • That's just one approach where there is a reason to target a particular name vs. a range of IPs or even a specific IP. The point being there are multiple approaches and unless you are the attacker, your guess is as good as the next non-attacker. – user48838 Aug 05 '11 at 22:25