MSN, Google, Ahrefs Banned For DOS Attack?

levely · January 16, 2015, 12:52:06 PM

Just got an email from a user who was automatically banned from the forum for a DOS attack (Just so happens he shares an IP address with another member who's a programmer and a competitor.) Go figure!

Anyway, I started looking into the ban logs (which have seen little activity in 5 years) and I noticed a 4 pages of banned IP addresses over the past 3 weeks. All reasons were listed as DOS attack. I noticed that one IP had 9,200 hits so I decided to look it up and it's a MSNbot. Looked a little further and Googlebot and Ahrefsbot are banned for DOS attack as well.

Even though this seems to be an obvious attack, I'm a newbie in this area. Is this the real deal or could something else be causing this?

It may just be a coincidence, but the first DOS attack was recorded around the same time I moved the forum to Cloudflare.

LiroyvH · January 16, 2015, 01:00:01 PM

I'm wondering if they really are DoS attacks. Moving to CloudFlare probably saw the CloudFlare IP's as causing an attack because it was their servers hitting your site instead of real IP's. (So perhaps you hadnt configured CF yet on the forum? Eg: see the real IP)

That bots can cause many hits is pretty normal. If the IP range is truly owned by Google/MSN: then it won't really be a DoS attack, just a false positive.

Arantor · January 16, 2015, 01:02:10 PM

I'm actually suspecting it's the Forum Firewall mod having its typical level of paranoid enthusiasm.

levely · January 16, 2015, 01:13:50 PM

I was thinking it might be the firewall as well, but it seems like it's an actual attack...check out the ban log.

108.162.245.151          Today at 12:11:42 PM
108.162.228.149          Today at 12:09:46 PM
108.162.246.254          Today at 12:08:13 PM
108.162.228.149          Today at 12:08:09 PM
108.162.245.157          Today at 12:07:18 PM
108.162.246.254          Today at 12:06:07 PM
108.162.228.149          Today at 11:58:36 AM
108.162.245.157          Today at 11:55:45 AM
108.162.246.252          Today at 11:51:40 AM
108.162.228.149          Today at 11:49:16 AM
108.162.228.149          Today at 11:46:17 AM
108.162.246.253          Today at 11:44:39 AM
108.162.246.252          Today at 11:40:53 AM
108.162.246.248          Today at 11:40:51 AM
108.162.246.252          Today at 11:40:36 AM
108.162.245.152          Today at 11:37:58 AM
108.162.246.253          Today at 11:37:39 AM
108.162.246.253          Today at 11:37:18 AM
108.162.228.149          Today at 11:35:45 AM
108.162.246.252          Today at 11:34:35 AM
108.162.216.218          Today at 11:27:58 AM
108.162.216.218          Today at 11:27:56 AM
108.162.216.218          Today at 11:27:55 AM
108.162.216.218          Today at 11:27:53 AM
108.162.216.218          Today at 11:27:52 AM
108.162.216.218          Today at 11:27:50 AM
108.162.216.218          Today at 11:27:49 AM
108.162.216.218          Today at 11:27:47 AM
108.162.246.246          Today at 11:25:48 AM
108.162.245.157          Today at 11:23:35 AM
108.162.228.149          Today at 11:21:59 AM
108.162.228.149          Today at 11:21:03 AM
108.162.228.149          Today at 11:14:41 AM
108.162.245.151          Today at 11:14:19 AM
108.162.245.156          Today at 11:06:20 AM
108.162.246.246          Today at 11:04:23 AM
108.162.245.152          Today at 11:02:22 AM
108.162.246.251          Today at 10:55:39 AM
108.162.228.149          Today at 10:52:34 AM
108.162.228.149          Today at 10:51:52 AM
108.162.245.152          Today at 10:46:46 AM
108.162.245.157          Today at 10:43:44 AM
108.162.228.149          Today at 10:33:41 AM
108.162.246.252          Today at 10:24:46 AM
108.162.246.246          Today at 10:21:45 AM
108.162.246.252          Today at 10:19:07 AM
108.162.228.149          Today at 10:13:57 AM
108.162.245.156          Today at 10:13:54 AM
108.162.246.251          Today at 10:08:39 AM
108.162.246.247          Today at 10:05:49 AM
108.162.245.157          Today at 10:05:46 AM
108.162.228.149          Today at 09:59:30 AM
108.162.245.152          Today at 09:58:34 AM
108.162.245.152          Today at 09:55:26 AM
108.162.245.157          Today at 09:55:23 AM
188.114.98.141          Today at 09:52:10 AM
188.114.99.142          Today at 09:52:08 AM
108.162.246.251          Today at 09:52:08 AM
188.114.98.137          Today at 09:52:07 AM
188.114.98.136          Today at 09:52:05 AM
108.162.237.96    [email protected]    glassbreaker    Today at 09:49:15 AM
188.114.99.140          Today at 09:45:42 AM
108.162.228.149          Today at 09:38:47 AM
108.162.228.149          Today at 09:35:58 AM
108.162.228.149          Today at 09:32:23 AM
108.162.228.149          Today at 09:31:18 AM
108.162.228.149          Today at 09:31:12 AM
188.114.99.141          Today at 09:27:51 AM
188.114.99.138          Today at 09:22:32 AM
108.162.228.149          Today at 09:17:05 AM
108.162.228.149          Today at 09:07:55 AM
188.114.98.144          Today at 09:07:49 AM
188.114.99.141          Today at 09:05:31 AM
188.114.98.145          Today at 09:03:59 AM
188.114.98.137          Today at 09:03:24 AM
188.114.98.142          Today at 09:00:40 AM
108.162.228.149          Today at 09:00:04 AM
188.114.99.140          Today at 08:57:49 AM
108.162.228.149          Today at 08:55:40 AM
188.114.98.138          Today at 08:51:34 AM
188.114.99.139          Today at 08:51:20 AM
108.162.228.149          Today at 08:51:11 AM
188.114.99.141          Today at 08:41:34 AM
188.114.98.146          Today at 08:41:32 AM
188.114.98.140          Today at 08:40:31 AM
188.114.99.141          Today at 08:40:29 AM
108.162.228.149          Today at 08:39:11 AM
188.114.99.137          Today at 08:35:19 AM
108.162.228.149          Today at 08:34:10 AM
188.114.97.48          Today at 08:32:32 AM

Arantor · January 16, 2015, 01:16:36 PM

Those are all CloudFlare IP addresses.

So anything that comes in will come over that IP address range and appear to be an attack when it actually isn't.

Somewhere around here is a tweak that will detect CF and get the real IP address for you.

Night09 · January 16, 2015, 01:23:42 PM

One of my sites is hit by a crawler every 7 - 14 seconds. A real ddos attack will hit it thousands of times a second.

Arantor · January 16, 2015, 01:31:28 PM

I did say something about paranoid enthusiasm?

levely · January 16, 2015, 01:37:13 PM

Quote from: Arantor on January 16, 2015, 01:16:36 PM
Somewhere around here is a tweak that will detect CF and get the real IP address for you.

I wasn't able to locate the tweak with search, would anyone be so kind as to point me in the right direction?

Arantor · January 16, 2015, 01:38:58 PM

http://www.simplemachines.org/community/index.php?topic=532453.0

levely · January 16, 2015, 01:54:56 PM

I just got this response from Clouldflare support. Seems like they respond super fast if you list DOS attack in the subject of the ticket. Last time I sent a general support ticket, it took 24 hours to get a response. Here is what they said and a link to the mod.

The reason why the attack seems to be coming from CloudFlare's IP range is because
all web requests are proxied through CloudFlare and then passed on to your origin
server thus making it seem like CloudFlare is attacking you.

To restore the original visitor IPs you can install the mod_cloudflare apache mod
which you can find here:
Why should I install mod_cloudflare? -
https://support.cloudflare.com/hc/en-us/articles/200170916-Why-should-I-install-mod-cloudflare-

Arantor · January 16, 2015, 01:56:31 PM

The tip I linked to above does pretty much the same thing.

levely · January 16, 2015, 02:03:49 PM

Quote from: Arantor on January 16, 2015, 01:56:31 PM
The tip I linked to above does pretty much the same thing.

Pretty much everything but provide the link to the mod.

Illori · January 16, 2015, 02:09:19 PM

Quote from: jackc on January 15, 2015, 08:34:46 AM
Edit: Adding this to the top of my index.php file fixed it without the need for a mod:

if($_SERVER['HTTP_CF_CONNECTING_IP']){
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_CF_CONNECTING_IP'];
}

that is what you need to do. there is no mod package for this.

Kindred · January 16, 2015, 03:39:50 PM

Illori,

except for the fact that I suspect his problem lies with the forum firewall, which has its own routines...

Levely,
SMF does not autoban - I suggest you take it up with the forum firewall mod author.

Illori · January 16, 2015, 03:46:01 PM

Quote from: Kindred on January 16, 2015, 03:39:50 PM
Illori,

except for the fact that I suspect his problem lies with the forum firewall, which has its own routines...

that is what arantor said was the fix....

Arantor · January 16, 2015, 03:50:12 PM

Actually it's a bit of both.

On the one hand, the forum firewall is seeing a lot of requests from a select range of IPs, to the point where it smells like a DOS attack.

On the other hand, CloudFlare is proxying everything it receives... through a select range of IPs.

So... change the index.php as directed to get the real IP addresses. This will fix some of the issues at least.

levely · January 22, 2015, 02:47:31 AM

Would it just be easier to remove the firewall. In another post, someone mentioned that it isn't really necessary as long as you keep SMF updated...is that true?

levely · January 22, 2015, 03:28:29 AM

I installed the Cloudflare mod a few days ago, no change. Just noticed something else. The bans are getting more frequent, now 2 seconds apart. What really strange is that they seem to stop for a day, then resume. The IP's are from LeaseWeb, which makes it even more suspicious. Anyone think this is the real deal? Also, there is only one member who keeps getting banned. He's been emailing me about his ban and asking me to fix the issue. Ironically, he's emailed me several times between midnight and 6 am.

46.4.123.172          Yesterday at 06:40:48 AM
46.4.123.172          Yesterday at 06:40:46 AM
46.4.123.172          Yesterday at 06:40:44 AM
46.4.123.172          Yesterday at 06:40:43 AM
46.4.123.172          Yesterday at 06:40:41 AM
46.4.123.172          Yesterday at 06:40:39 AM
46.4.123.172          Yesterday at 06:40:38 AM
46.4.123.172          Yesterday at 06:40:36 AM
46.4.123.172          Yesterday at 06:40:34 AM
46.4.123.172          Yesterday at 06:40:32 AM
46.4.123.172          Yesterday at 06:40:31 AM    ------------------------- Resumes
108.71.150.195    Member email removed    Yesterday at 04:44:13 AM
108.71.150.195    Member email removed   January 20, 2015, 09:09:56 PM
162.210.196.98          January 20, 2015, 03:24:01 AM    ------------------- Ends
162.210.196.98          January 20, 2015, 03:23:58 AM
162.210.196.98          January 20, 2015, 03:23:56 AM
162.210.196.98          January 20, 2015, 03:23:55 AM
162.210.196.98          January 20, 2015, 03:23:54 AM
162.210.196.98          January 20, 2015, 03:23:52 AM
162.210.196.98          January 20, 2015, 03:23:51 AM
162.210.196.98          January 20, 2015, 03:23:49 AM

News:

MSN, Google, Ahrefs Banned For DOS Attack?