Results 1 to 16 of 16
  1. #1

    Website attack, whats up with that?

    I've been dealing with some kind of attack on our website for the last few days both on my own and with my webhost. It began on the 30th of Sept with a massive spike in traffic, so much so that the host had automatically suspended me two days later for going over my bandwidth (I used 9gb in two days). Looking at the logs I see thousands of these requests (from various IPs):
    95.227.220.210 - - [05/Oct/2013:07:45:42 -0700] "POST / HTTP/1.1" 200 35505 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    We limited all POST activity for a day and a half (through .htaccess), I had also found somewhere a solution involving blocking the user agent ID (they're all identical) using iptables rules but the host was hesitant for fear of blocking legit users to the rest of the server. The offending traffic has been slowing down since yesterday, and the POST block was not allowing clients to interact with the site at all so I asked to remove the statement in htaccess & the host figured it was ok.
    So what was happening? What's going on when this kind of attack happens, what's it called & what is the goal? I have very limited knowledge on anything to do with hosting but this event has alerted me to the threats out there so I would like to know more. Is there anything I can do on my side (in htaccess for example) to prevent this? Whatever they were trying to do hasn't affected my website (I'm in the process of doing a folder comparison to my backup)so will they just give up? Any input is appreciated!

  2. #2
    Join Date
    Jun 2011
    Posts
    2,286
    Are you running any software on your account such as phpBB, Wordpress, etc?

  3. #3
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,153
    What you're experiencing is a HTTP POST flood, which is a layer 7 DDoS attack. It's purpose is to overload your server by keeping the PHP processes busy.

    To block this, you can use a small script called BARF, which you can download here: http://www.r00t-services.net/scripts/barf_iptables.zip

    If the size of the attack increases or you're unable to block it with the script provided, your best bet would be getting a DDoS protection from one of the various providers, which includes layer 7 filtering.
    Inbound Marketing & real SEO for web hosting providers
    ✎ Get in touch with me: co<at>infinitnet.de

  4. #4
    @Ethernet Servers
    The site is a zencart based shopping cart, no wordpress or forum.
    @infinitnet
    Is the script something I install in my folders or is it done by the host on his side?
    So the point of the attack was just to slow down the server in general? Is there anything I should be looking for while checking my own site for 'damage'?

  5. #5
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,153
    @roodney: That's something that has to be done directly on the server, so I guess your hosting provider should take care of this.

    The purpose of this attack is only to bring down your website / make it unavailable. Most likely it's a competitor who doesn't want to have you in business (only assuming this, as you mentioned ZenCart). As long as your website is still online and your sales didn't drop, you don't have to worry about this, as this means the attack isn't strong enough to have the desired effect.
    Inbound Marketing & real SEO for web hosting providers
    ✎ Get in touch with me: co<at>infinitnet.de

  6. #6
    Well I'm honored that someone thinks we are large enough competition to attempt this although it seems incredible to me. So I will take this as a compliment.
    @infinitnet
    Other than a script like you suggested, is there anything I can do on my end or am I at the whim of future attacks like this? What are the chances of me hunting them down, going to their house and unplugging their computer? Kidding. Thanks for the info!

  7. #7
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,153
    @roodney: If you don't manage your server by your own (ie. have root access), you can't really do much about it, except to block the user agent and in the worst case POST requests through .htaccess files. Another solution would be to password protect your website using .htaccess and write the login in the description. This would be annoying for your visitors, as they would have to type a user name and password every time they want to visit your website, but it would also block this attack.

    The chances of hunting them down are close to zero, as they're most likely using hacked servers and PCs and it won't be easy to track them from there, even if someone who operates such a compromised machine would be willing to investigate.

    Your best bet to protect yourself from this in the future would be a remote DDoS protection, which would automatically detect and block this type of attacks without your interaction, downtime, or annoying .htaccess logins.
    Last edited by Infinitnet; 10-05-2013 at 12:24 PM.
    Inbound Marketing & real SEO for web hosting providers
    ✎ Get in touch with me: co<at>infinitnet.de

  8. #8
    You can perhaps cut down on the effectiveness of this attack by limiting the PHP post_max_size flag. Wherever you're allowed to put a php.ini file:

    post_max_size = 500K

    Not a good idea if your site depends on user-generated uploads, but as a temporary measure it could alleviate some of the immediate problem.

    Another quick-fix band-aid: http://httpd.apache.org/docs/trunk/m...ratelimit.html

    Everyone will get a slower experience, but that at least puts your legit users on somewhat equal footing with your attacker.

    I'd say "good luck" but since you've got your host's support on your side, you'll be fine.

  9. #9
    Join Date
    Aug 2011
    Location
    Ottawa, Canada
    Posts
    144
    A remote DDoS protection would do the job
    I'm not a native English speaker and my writing and (even) understanding of the language is far, far away from fluent.

  10. #10
    I've noticed a slight increase again in the traffic (back up to a gB for today's usage from 500 mb a couple of days ago so I added a block by user agent in htaccess (they are all the same & there is a unique identifier that the majority of my proper traffic doesn't have). Now my logs show a 403 instead of the 200 they were showing before and the amount of bandwidth consumed is considerably less. So this is the extent of my capabilities right? I'm guessing our host isn't available until Monday to suggest that script mentioned earlier...

  11. #11
    Join Date
    May 2011
    Posts
    471
    Quote Originally Posted by roodney View Post
    I'm guessing our host isn't available until Monday to suggest that script mentioned earlier...
    your kidding right? didnt this start yesterday? so your saying your host cant resolve issues, or provide any level of support for 48hours?

  12. #12
    Quote Originally Posted by Mad_matt View Post
    your kidding right? didnt this start yesterday? so your saying your host cant resolve issues, or provide any level of support for 48hours?
    It started a week ago, then slowed down by mid week and started picking up again today. I'm sure I could get support, it seemed like the way he left it on Friday was not too worried, he figured the server could handle it. Also the traffic had significantly reduced by then, last weekend it was up to 6 gB a day and by Friday it was under 500 mb. He didn't seem too disturbed, not nearly as troubled as I was...

  13. #13
    Oh, and one more question, why are the user agent IDs all the same? What does that mean, if there are thousands of unique IP's being used?

  14. #14
    Join Date
    Sep 2005
    Posts
    169
    Often times attack tools will let you set custom information for the attack, like custom queries and headers. User Agent is one of them; a user agent is easily faked, so your attacker simply inputted whatever they wanted or used the default. This being IE 6.

    You could actually block this attack if you were okay with denying all IE 6 users access to your site. They'll easily evade it though if they figure out that all they need to do is change the user agent, but they might be too stupid to do so.

  15. #15
    Join Date
    Jun 2011
    Location
    Indonesia
    Posts
    1,775
    it seem you only get small attack only 9gb in two days
    i recommend you use cloudflare it can reduce bandwith usage also would be better if you move to another host that more genereous in bandwith and had better support ( you said your host wouldnt available untill monday, that was red flag for me. A good host must have 24x7x365 technical support)

  16. #16
    Quote Originally Posted by Jcink View Post
    You could actually block this attack if you were okay with denying all IE 6 users access to your site. They'll easily evade it though if they figure out that all they need to do is change the user agent, but they might be too stupid to do so.
    I have added this in the htaccess, now they just get a 403. Thank you for the input everyone, I am looking into cloudflare too. I kind of like my current host, from what I'm hearing some other hosts would just drop me entirely but my host wasn't bothered by the overage or extra traffic.

Similar Threads

  1. whats an ARP attack?
    By Mad_J in forum Hosting Security and Technology
    Replies: 3
    Last Post: 09-14-2010, 05:52 PM
  2. Website Attack?
    By N|Kitmitto in forum Fraud and Abuse
    Replies: 23
    Last Post: 10-23-2009, 11:38 PM
  3. [Help] Someone attack my WebSite
    By kfirfer in forum Hosting Security and Technology
    Replies: 9
    Last Post: 03-20-2008, 03:09 PM
  4. Website under attack
    By kiler in forum Hosting Security and Technology
    Replies: 3
    Last Post: 02-23-2006, 02:57 PM
  5. Replies: 8
    Last Post: 11-13-2003, 10:14 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •