Answer the question
In order to leave comments, you need to log in
M
M
mamontionk2021-10-16 09:55:24
mamontionk, 2021-10-16 09:55:24
They attack the site from thousands of different IPs. How to protect?
Faced with an extraordinary task for me.
A couple of days ago, traffic to the site (.ru) began to grow strongly. At first I was delighted, but then after looking at the depth of viewing and the hourly schedule of visits, I realized that I was somehow being attacked.
Several times a day for an hour there is a peak growth of unique visitors 3-4 times higher than ordinary traffic. For example, usually there are about 500 uniques per hour, while at the peak of the attack there are about 2000 uniques per hour! And it's not DoS. The interval between spam calls is a few seconds at the peak, and at the time when they are disguised as regular traffic, they can reach several tens of seconds from one IP.
Website movement is self-written. Everything is logged. Therefore, I considered the task an ordinary one, done far more than once, I climbed to understand and catch the villain according to the usual signs. But it was not there ...
So, the picture. Thousands of visitors with unique IPs from real normal subnets from all over Russia (cellular operators, various telecoms there, etc.). Normal HTTP_USER_AGENT and HTTP_REFERER. But only by a general analysis for a day it turns out to determine that something is wrong, and even then with our eyes.
For example, in an hour from one IP there can be several visits with different HTTP_USER_AGENT but from one search engine. Or vice versa - the same HTTP_USER_AGENT and different IPs.
For all kinds of server variables in PHP (HTTP_X_FORWARDED_FOR, HTTP_X_REAL_IP, etc.), the proxy is not determined.
With a deeper analysis, I managed to find several signs for blocking, and it seems like I’m fighting off most of the spam traffic so far. But these signs are rather a minor omission on the part of the attacker than my achievement. If the attacker corrects these signs, then I will no longer be able to determine the spam entry. The only sign is one or two views and that's it. But this is already becoming clear after the fact, and it does not allow identifying a spammer with 100% probability.
I will assume that the purpose of these attacks is to increase the bounce rate of the site, as one of the ranking parameters in search engines.
Questions:
1. Who has any thoughts, why is this at all?
2. How is it done? (a huge number of normal IP)
3. How to win?
4 answer(s)
@mamontionk
Botnets are devices that make requests. And, most likely, these are not devices of a hacker, but ordinary phones, computers of people who do not suspect anything. The bottom line is that a hacker infects devices with a virus. The virus is fixed in the system and hides. Does nothing, waits for commands.
When the attacker decides to attack the victim, he sends commands to all infected devices, and they, in turn, start simultaneously spamming the victim.
A botnet can consist not only of complex hardware (computers, telephones), but even of infected cameras. For example, the famous Mirai botnet used tens of thousands of vulnerable IPTV cameras.
3. How to win?
Set, as some cloudflare has already written, and there will be much less problems.
But it won't work at all. For example, Yandex recently published on Habré a countdown to repel a DDos attack, which once again broke the record.
I recommend reading:
DDoS attacks: where does “garbage” come from and where does it go...
Microsoft reported the largest DDoS attack — 2.4 T ...
UPD .
@t-alexashka
A
Alexander, 2021-10-16 @mamontionk
This is a DDos (Distributed Denial of Service) attack.
Incredibly old technology and incredibly effective.
1. Who has any thoughts, why is this at all?
There are several purposes for using DDos. One of the main ones is the collapse of the site or infrastructure of the victim due to a lack of resources to process requests by the server.
There is also an interesting way to cover up the real activity of a hacker with DDos.
Also, I can’t find it, there was an article on Habré about hacking using DDos. There, at some point, before the fall, the server had not yet fallen, but it stopped filtering requests normally. Just before the fall, a malicious request was thrown, which was successful.
2. How is it done? (a huge number of normal IPs)
The classic approach requires three entities:
First - Attacker
Second - Botnet
Third - Victim
simplified diagram
Botnets are devices that make requests. And, most likely, these are not devices of a hacker, but ordinary phones, computers of people who do not suspect anything. The bottom line is that a hacker infects devices with a virus. The virus is fixed in the system and hides. Does nothing, waits for commands.
When the attacker decides to attack the victim, he sends commands to all infected devices, and they, in turn, start simultaneously spamming the victim.
A botnet can consist not only of complex hardware (computers, telephones), but even of infected cameras. For example, the famous Mirai botnet used tens of thousands of vulnerable IPTV cameras.
3. How to win?
Set, as some cloudflare has already written, and there will be much less problems.
But it won't work at all. For example, Yandex recently published on Habré a countdown to repel a DDos attack, which once again broke the record.
I recommend reading:
DDoS attacks: where does “garbage” come from and where does it go...
Microsoft reported the largest DDoS attack — 2.4 T ...
UPD .
M
My joy, 2021-10-16 @t-alexashka
Perhaps your competitors ordered a "cheat visits" like bidvertiser. like cheap surfing for 0.0001 kopecks per transition.
Similar questions
I
S
S
P
U
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question