Huge amount of activity from China

Started by bosswhite, November 18, 2019, 08:38:49 AM

Previous topic - Next topic

memiller

Anecdotally, we just got a significant burst of traffic from IPs in Huawei Clouds prefixes that seemed be indexing our whole site.  We use Cloudflare, so I added a firewall rule there to captcha challenge everything from AS136907 just for giggles. We got 18K hits in less than 6 hours from hundreds of IPs in the 159.138.144.0/20 (Hong Kong) range.  That's a hullava indexing run, if that's what it is. Honestly, I don't mind SEO and spider runs to help keep us discoverable, but it would be nice if it didn't include getting mugged.  :)

Antechinus

That's normal Chinese bot behaviour. When they decide to index a site, they just throw stacks of bots at it and attempt to index everything as fast as they can. They don't care about the effects on your site. If they crash your server, they don't care. They're just after all your information, and will grab it if its available.

aegersz

I am also experiencing this for the IP range: 114.119.128.107 ~ 114.119.167.95.

IP lookup says:

Country:China
Region:Guangdong
City:Shenzhen

Why do they do this indexing and how does it help anybody ?
The configuration of my Linux VPS (SMF 2.0 with 160+ mods & some assorted manual tweaks) can be found here and notes on my mods can be found here (warning: those links will take you to a drug related forum). My (House) music DJ dedication page is here

drewactual

the best i can tell it's nothing more than the same type of indexing google, bing, yahoo, ect. perform... it's just a lot more aggressive and they could care less what you've 'limited' with robots.txt.... they'll hit your server's resources with all of their resources and drill until it's done- if your server crashes they'll be sitting there waiting until it recovers and it starts all over again.

this next bit is somewhat unrelated but something i discovered and shared in another thread that may help someone?

I run a dedicated server with centos and apache- and with an MPM Worker configuration and FPM over top of it.  the httpd.conf is NOT configured to dynamic (i can't recall the command it is set to) but it maintains x number of workers in reserve, and expands and withdraws the available pool depending on load.  I had mine set to 125 workers with a possible 225 iirc workers, the ability to spawn children, and a 5 second TTL window.... problem i had to find out about and while under stress from these chinese bots: a recent cPanel update reset the worker function to default- and default is slight... 10 workers i think it was, and unlimited TTL... so.. resources were clogged with real members 'getting in line' for actions..... the 'bug' is documented on the cPanel forums... once i discovered this and altered the settings to where they were, no more issues... on Monday night i had over 30k 'visitors' on the site and it had zero impact on function or load time. 

i share this for folks who may be running MPM Worker and are getting hit with this traffic, and who are experiencing pages that crawl... to simply look into it or to ask their hosts to do so...

shawnb61

I am seeing this on my forum as well.  It's not just China, it's mainly Russia.  With some Denmark & Italy thrown in for good measure.

Buried amidst a bunch of basic topic crawling, there is some awfully sucpicious looking activity in the web logs.

They're knocking on a lot of doors... 
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

chrishicks

I use Cloudflare and recently noticed their bot fight mode so I decided to give it a try against these bots and sadly it did nothing. I was still seeing these IPs hit my site 1000's of times a day. I ended up setting up a challenge/block to see if they would get through it on one of the IP ranges that was hitting my site and it stopped them cold.

https://i.imgur.com/gDMHPtz.png

I have noticed they are slowing down on trying to hit my site as this was what it looked like a few days ago:

https://i.imgur.com/SgNlbrC.png

Next up is the 114.119.xxx.xxx range.

efk

Yep 114.119.1
Also I noticed this one for some time, probably unrelated with IP above 159.138.1

efk

I found strange forum behavior related with changing security questions. What is interesting, few times in past when it happened to be increased number of visitors/spambots, number is getting drastically decreased once security questions are changed. Maybe this is just a coincidence, but I'm wondering if someone noticed the same thing. Its not normal to see for a few days over 1000 visitors as max number for checked day, and after this change to be up to max 100 visitors online at time in next days.

a10

The 1000's of daily cn ip's have disapeared, now just a few 159.138., so could remove the anti-cn .htaccess ftm.
None of the 1000000000000 :O) visits were about registering, just vacuuming posts.

Only registering attempts of any volume is some stupid botrat using tor, has been hammering my forum for months, never managed a single reg (questions), am seeing most of these > https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1
2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

shawnb61

Quote from: a10 on January 26, 2020, 09:52:42 AM
None of the 1000000000000 :O) visits were about registering, just vacuuming posts.

Look again.  Buried in mine (the Russian ones) were what appear to be sql injection attempts.

This is not normal, benign, crawling.

GET /smf/index.php?topic=22187.40;wap21111111111111%27%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45),CHAR(45,120,49,49,45,81,45),CHAR(45,120,49,50,45,81,45),CHAR(45,120,49,51,45,81,45),CHAR(45,120,49,52,45,81,45),CHAR(45,120,49,53,45,81,45),CHAR(45,120,49,54,45,81,45)%20--%20/*%20order%20by%20%27as HTTP/1.1
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

a10

Quote from: shawnb61 on January 26, 2020, 10:04:20 AM
Quote from: a10 on January 26, 2020, 09:52:42 AM
None of the 1000000000000 :O) visits were about registering, just vacuuming posts.

Look again.  Buried in mine (the Russian ones) were what appear to be sql injection attempts.
Russians, but anyone seen any hack attempts from those CN bots ?
Seemed inoffensive, apart from the total overkill of trafic \ ip's.
2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

aegersz

Quote from: chrishicks on January 21, 2020, 10:36:54 PM
I use Cloudflare and recently noticed their bot fight mode so I decided to give it a try against these bots and sadly it did nothing. I was still seeing these IPs hit my site 1000's of times a day. I ended up setting up a challenge/block to see if they would get through it on one of the IP ranges that was hitting my site and it stopped them cold.

https://i.imgur.com/gDMHPtz.png

I have noticed they are slowing down on trying to hit my site as this was what it looked like a few days ago:

https://i.imgur.com/SgNlbrC.png

Next up is the 114.119.xxx.xxx range.

same IP range as my attacks (Most Online Ever: 2472) but at least the site held up.

I wonder what's going on ? it seems aggressive to me.
The configuration of my Linux VPS (SMF 2.0 with 160+ mods & some assorted manual tweaks) can be found here and notes on my mods can be found here (warning: those links will take you to a drug related forum). My (House) music DJ dedication page is here

chrishicks

I'm probably going to jinx it by saying this but it looks like both the 159.138.xxx and the 114.119.xxx IPs have completely stopped trying to access my site after adding them to Cloudflare. They were trying 1000's of times a day as seen in the screenshots but for the last few days I haven't seen either of those ranges on the firewall page even once and it's been really easy to check now as I'm only seeing a little over 100 "bad" hits a day now compared to 5000+ before which is just too much to look at when it's 25 results per page.

YogiBear

Quote from: efk on January 26, 2020, 01:35:05 AM
I found strange forum behavior related with changing security questions. What is interesting, few times in past when it happened to be increased number of visitors/spambots, number is getting drastically decreased once security questions are changed. Maybe this is just a coincidence, but I'm wondering if someone noticed the same thing. ...

Yes, this has certainly worked for me too.
SMF v2.1.3  Mods : Snow & Garland v1.4,  PHP  v.7.4.33

a10

If anyone still seeing all those rats from china. Initially started with a complete CN ban to stop it, then spending time reading around on the net and testing stuff, this turned out to give immediate and lasting mitigation (CN bots and others). One may complement with further agent additions. In .htaccess:

RewriteEngine On
RewriteCond %{QUERY_STRING} .
RewriteCond %{HTTP_USER_AGENT} Ahrefs|Baiduspider|bingbot|BLEXBot|Grapeshot|heritrix|Kinza|LieBaoFast|Linguee|Mb2345Browser|MegaIndex|MicroMessenger|MJ12bot|PiplBot|Riddler|Seekport|SemanticScholarBot|SemrushBot|serpstatbot|Siteimprove.com|trendictionbot|UCBrowser|MQQBrowser|Vagabondo|AspiegelBot|zh_CN|OPPO\sA33|zh-CN|YandexBot [NC]
RewriteRule ^.* - [F,L]
2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

drewactual

many thanks, a10. 

fwiw- i've not had less than 2k present since this 'wave' began.  cleantalk has sent me messages just about every other day of stopping 50k questionable attempted registrations likely on average... it's a mess.  fortunately, (and again i am NOT a spokesman for cleantalk) that software is holding up... as SOON as 'one' gets through i'll implement what you offered.. i like it because it doesn't stiff arm a massive IP range, because i have a few posters from that range who are legit and well respected.

SMiFFER

Quote from: shawnb61 on January 26, 2020, 10:04:20 AM
Quote from: a10 on January 26, 2020, 09:52:42 AM
None of the 1000000000000 :O) visits were about registering, just vacuuming posts.

Look again.  Buried in mine (the Russian ones) were what appear to be sql injection attempts.

This is not normal, benign, crawling.

GET /smf/index.php?topic=22187.40;wap21111111111111%27%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45),CHAR(45,120,49,49,45,81,45),CHAR(45,120,49,50,45,81,45),CHAR(45,120,49,51,45,81,45),CHAR(45,120,49,52,45,81,45),CHAR(45,120,49,53,45,81,45),CHAR(45,120,49,54,45,81,45)%20--%20/*%20order%20by%20%27as HTTP/1.1

SQL injection?
Is that not straight hacking ?
Quote of the day: A troll is an obstinate bloke who only hungers for your attention. If you feed him, he will puke all over you!

Kindred

SMiFFER....   you do know that SQL Injection is one of the vectors of hack attempts, right?

Shawn was stating the specific over the generic.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Antechinus

Quote from: aegersz on January 16, 2020, 11:38:38 AM
I am also experiencing this for the IP range: 114.119.128.107 ~ 114.119.167.95.

IP lookup says:

Country:China
Region:Guangdong
City:Shenzhen

Ha. I just had that bunch show up at a site I run. Started getting bandwidth usage warnings. Wondered WTF was going on. Went to check the bandwidth and visitor log and yep, it's rampaging Chinese bots again. Hey ho. :P

So, did a bit of a lookup, decided on which ranges to wallop, and hit them with .htaccess. Bandwidth usage for the last 24 hours is back to normal, and went back to normal immediately I fired up the walloperator. That should keep them busy for a while, until next time.

One thing I did notice is a that although the company involved was from Shenzen, the specific IP ranges that were hitting me were coming out of Singapore. IOW, the Shenzen company owned the IP ranges but the IP's themselves resolved to a Singapore location. IOW IOW, the buggers are now operating out of non-Chinese locations, so you won't just get clobbered from China.

Fun times. :)

a10

The user agent block, see #54 above, still does wonders against the chinese and a few others as well.
2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

Advertisement: