3

I have a small games site with 400 members (~50 active) built around a MySQL database. I'm the sole developer, and I'm an amateur, so I make my fair share of mistakes.

To help protect myself, the site, and my members' contributions I have the server setup to die hard with a plain text "we've experienced an error" message and auto-email me the PHP error information.

Of course this would never work in a corporate environment, much too heavy-handed, but my members are understanding since we've grown the site together and I have personal relationships with most of them. They're also generally technically-unsavvy old men, which means fail-soft situations would be confusing for them.

The site also uses PDO, everywhere.

/backstory complete

I woke up this morning to 90 error emails. Unusual!

All of which were triggered in a 2 minute window... most unusual!

The error messages were things like 

PDOStatement::execute() expects parameter 1 to be array, string given

which, having looked at my code, is not possible without outside interference.

So I go grab my traffic logs and find that IP 219.117.193.20 based out of Tokyo is hammering my site with requests like:

GET /search.php?type=basic%20AND%201%20=%201

the first bit of that: GET /search.php?type=basic is valid and listed in the main nav. Everything else (s)he (it?) is appending.

Looks like a simple Bobby Tables attack.

So that went on for several minutes and 100 or so calls, and then it stopped.

MY question to you fine folks is:

Should I bother trying to take any action against this IP?

or is this just the price of visibility and too frequent to be bothered with?

do you ban the IP? the subnet? do you contact the ISP?

Just curious what professional server admins do in these sorts of situations, as I imagine it must happen extremely frequently...?

Ben Pilbrow
  • 12,041
  • 5
  • 36
  • 57
Drew
  • 661
  • 6
  • 9
  • About taking action... I tried to do that many times. The result is mostly null. You can ask some RIPE-databases to get an abuse-contact for the network you were attacked from... – Nils Aug 27 '11 at 20:53

4 Answers4

6

It's the price of fame. Every once in a while someone will try something against pretty much every site (I see a scan for vulnerable versions of phpMyAdmin every couple of days, for example). Since the machines involved are almost exclusively zombied end-user machines, "taking action" against them is useless (any sort of "active countermeasure" is, of course, completely wrong, but even trying to report the infected machine to the owner is almost certainly futile).

Make sure your site is secure, and just move on with your day.

womble
  • 96,255
  • 29
  • 175
  • 230
3

Since you are also the developer, you might consider coding an appropriate error handler to ignore and/or maybe even trigger a "tar pit" response/handling.

user48838
  • 7,431
  • 2
  • 18
  • 14
2

First thing you want to do is validate EVERY input that you receive and fully parametrize every query that you pass into the database. This way the SQL Injection attack won't be successful.

As @womble said trying to ban the IP or subnet is worthless. Odds are the person running the attack isn't even on that IP anyway. They'll just switch to another zombie and keep at it.

Secure everything and be done. The attacks will fail, they will get bored and move on.

mrdenny
  • 27,174
  • 4
  • 41
  • 69
0

You could try to protect you web-site using a selv-generated client-key. Distribute that key only to your members and refresh it every year.

Drawback: You will propably have to explain how to install and use that key in all kind of web-browsers...

A more simple approach might be a protection using .htdigest password protection of your server.

Nils
  • 7,695
  • 3
  • 34
  • 73