Page Index Toggle Pages: [1] 2 
Topic Tools
Hot Topic (More than 10 Replies) Spambots as DDoS? (Read 4,020 times)
George Maschke
Full Member
***
Offline



Posts: 315
Spambots as DDoS?
Jan 5th, 2013 at 7:36am
Post Tools
My forum (https://antipolygraph.org/cgi-bin/forums/YaBB.pl) has been under constant assault by spambots for some time now. While various security features in YaBB have prevented most automated registrations and spam postings, the sheer volume of attempts has caused the site's CPU, memory, and input/output usage to exceed quotas. Last month, our webhosting company temporarily suspended our account to prevent a server crash.

I'm wondering whether any other YaBB admins have experienced similar issues? Any ideas on solutions?

My (hopefully temporary) fix has been to disallow automated registration, guest posting, and guest broadcast PMs to admins. Instead, I've put a note in the forum template telling readers to e-mail us to request an account.

It would be great if YaBB could recognize, say, X repeat failed CAPTCHA responses from an IP address and then, through .htaccess, deny further requests from that IP address for Y minutes.
« Last Edit: Jan 5th, 2013 at 7:38am by George Maschke »  

Back to top
IP Logged
 
George Maschke
Full Member
***
Offline



Posts: 315
Re: Spambots as DDoS?
Reply #1 - Mar 6th, 2013 at 8:22pm
Post Tools
Well, the sheer volume of registration attempts by spam bots has caused my webhosting company, CanadianWebhosting.com, to suspend my account permanently. To be sure: spam was not being posted on my forum. The spam bots were only rarely successful in registering an account. But the sheer volume of registration attempts from various IP addresses has repeatedly overwhelmed the server.

Again, I'm curious as to whether any other YaBB admins have had similar problems with their forums, or is mine an exceptional case?
  

Back to top
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 2,372
Location: Earth

YaBB 2.6.1
Re: Spambots as DDoS?
Reply #2 - Mar 6th, 2013 at 9:07pm
Post Tools
I get nearly 500 attempts a day on a not very busy forum (the testbed) and at least a couple Guardian notices a day of bad actors trying stuff. I'm guessing your subject matter was/is controversial enough to warrant some serious attacks.

I'm sorry your suggestion concerning .htaccess banning of repeated attempts didn't get picked up to get worked on. It's something that might be valuable.  Embarrassed
  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
Bill Myers
God Member
Beta Testers
*****
Offline



Posts: 1,676
Location: Los Angeles

YaBB 2.5
Re: Spambots as DDoS?
Reply #3 - Mar 6th, 2013 at 9:44pm
Post Tools
George Maschke wrote on Mar 6th, 2013 at 8:22pm:
Again, I'm curious as to whether any other YaBB admins have had similar problems with their forums, or is mine an exceptional case?

In our forum, yes, and I believe this is becoming more common.

By the way, and Dandello will most likely know more about this than I do, but even if YaBB was to deny requests from a particular IP address, permanently or otherwise temporarily, you can still get bombarded by spam-bots. It would basically be a DDoS attack, which a good web host is generally good at defeating.

The other day, for instance, one IP address in particular was failing to register in our forum at a rate of about 500 attempts about every 10 minutes. After I banned that IP address from the forum, our error page continued to list it, but this time as a banned IP address, which again, was happening about every 10 minutes. Finally after close to 3 days that particular automated spam-bot stopped hitting our forum.

The thing is, spam-bot automation isn't just a problem in forums. Even as successful as we are in keeping them out of our forums, and YaBB is very good at this, that automation still hits our servers. So concievably, even if you didn't have a YaBB forum, your web host may have still suspended your account based on their apparent lack of ability to fend off those spam-bots for you.

Hint: If you haven't done this already, my suggestion is for you to point your domain to another host, even temporarily, and do it as quickly as possible so that visitors to your site can see comments from you instead of the notice of suspension that they currently see.

Even if that means it goes to a personal page of yours, i.e., a Facebook notice, a Twitter notice, a post here, or even to a notice about what's happening on a personal web page of yours that your Internet Provider probably provides for you.

I'm upset about this enough on my own that I'll happily give you a landing page at no cost if you need one until you get your site back up and running. Feel free to let me know any time.

By the way, as of this post it appears that our forum is getting hit by spam-bot automation at a rate of around 100 every hour or so. Thankfully, I'm on a fast server, and I have plenty of resources (I say as I keep my fingers crossed).

  

Morning, noon, or night, have a great one!

Note: This forum doesn't allow for us to freely edit our posts or topics to make corrections as needed, so please remember to look for subsequent posts if you see any mistakes or outdated information. Sorry for the inconvenience.
Back to top
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 2,372
Location: Earth

YaBB 2.6.1
Re: Spambots as DDoS?
Reply #4 - Mar 6th, 2013 at 11:43pm
Post Tools
And I suspect - but do not know for sure - that even hits taken out by .htaccess may be logged against your usage.

But Bill is right - get your domain pointing somewhere so you don't have a 'closed by host' sign on it.

Hopefully you have full backups and can find a host that can actually handle traffic.

One thing that YaBB will have as part of timed banning is the ability to use Guardian .htaccess banning directly from the error page. Granted - this is still a manual process, but for forums that aren't under actual siege, it should help.
« Last Edit: Mar 6th, 2013 at 11:46pm by Dandello »  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
Derek Bullock
Ex Member


Re: Spambots as DDoS?
Reply #5 - Mar 6th, 2013 at 11:57pm
Post Tools
Just had a look and I have my error log set so it shows 500 errors.  From 8.03 am and 9.53 am I have had 500 hits.

So yep, it sure is getting worse.
  
Back to top
 
IP Logged
 
xnoddyx
Support Team
Documentation Team
YaBB Moderators
YaBB Next Team
Beta Testers
****
Offline



Posts: 1,591
Location: UK:Scotland/livingston

None
Re: Spambots as DDoS?
Reply #6 - Mar 6th, 2013 at 11:59pm
Post Tools
a DoS attack (Denial-of-service attack) or DDoS attack (Deliberate Denial-of-service attack)
it don't even need to be sheer volume of registration attempts it can also be as simple as multiple pinging to your domain name

Methods of attack

A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. There are two general forms of DoS attacks: those that crash services and those that flood services.

A DoS attack can be perpetrated in a number of ways. The five basic types of attack are:
1.Consumption of computational resources, such as bandwidth, disk space, or processor time.
2.Disruption of configuration information, such as routing information.
3.Disruption of state information, such as unsolicited resetting of TCP sessions.
4.Disruption of physical network components.
5.Obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.

A DoS attack may include execution of malware intended to:[citation needed]
Max out the processor's usage, preventing any work from occurring.
Trigger errors in the microcode of the machine.
Trigger errors in the sequencing of instructions, so as to force the computer into an unstable state or lock-up.
Exploit errors in the operating system, causing resource starvation and/or thrashing, i.e. to use up all available facilities so no real work can be accomplished or it can crash the system itself
Crash the operating system itself.

at the same time most hosts firewalls should have IP Flood Detection and Request Flood Detection on to protect against Denial of Service (DoS) attacks.
a host without them on or the limit set to high is only asking for trouble.
  

YaBB install help video
1. what yabb forum are you running and the url
2. describe in as much detail as you can what happens and also post screenshots if you can
3. please be patient we live in different time zones and have other commitments but we will help you
as bill and ted say (Be excellent to each other)
Back to top
IP Logged
 
George Maschke
Full Member
***
Offline



Posts: 315
Re: Spambots as DDoS?
Reply #7 - Mar 7th, 2013 at 7:00am
Post Tools
Thank you all for your comments (and thank you Bill, for your kind offer of a landing page). Based on your comments, it would seem that the automated registration attempts on AntiPolygraph.org were more likely part of a larger phenomenon of mass forum spamming rather than a targeted denial-of-service attack.


I'm looking for a better web hosting company and hope to have my site (and YaBB forum) back online soon.
  

Back to top
IP Logged
 
pyragony
Language Team
Jr. Developer
****
Offline



Posts: 216
Location: 31855 Aerzen

None
Re: Spambots as DDoS?
Reply #8 - Mar 7th, 2013 at 7:24am
Post Tools
Hi

So that this is a DDoS - attack is, I do not think so. Spammers do not. They want to get rid of their waste in any way. I have looked at your site once, for an attack they invite too fast, but the template is not constructed. But as I see, you've built your site as https and I do not know if it works at all. The test I had time. An attack I can not confirm at the moment.
  

Back to top
 
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 2,372
Location: Earth

YaBB 2.6.1
Re: Spambots as DDoS?
Reply #9 - Mar 7th, 2013 at 2:53pm
Post Tools
As forums and blog pages get more secure and better at blocking the spammers, the more desperate (it seems) they become at trying to get in. I have a site that's in read-only mode, registrations turned off and the error log shows over a thousand spam attempts in the past 24 hours.
  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
pyragony
Language Team
Jr. Developer
****
Offline



Posts: 216
Location: 31855 Aerzen

None
Re: Spambots as DDoS?
Reply #10 - Mar 7th, 2013 at 8:06pm
Post Tools
This is normal, every day, but that is certainly not for a DDoS attack.
To place a server lame, it takes a good 100-150 requests per second.
  

Back to top
 
IP Logged
 
Bill Myers
God Member
Beta Testers
*****
Offline



Posts: 1,676
Location: Los Angeles

YaBB 2.5
George is back online! - Re: Spambots as DDoS?
Reply #11 - Mar 9th, 2013 at 8:28am
Post Tools
George Maschke wrote on Mar 7th, 2013 at 7:00am:
I'm looking for a better web hosting company and hope to have my site (and YaBB forum) back online soon.

I am very happy to see that George has successfully gotten his site, and his forum back online in relatively quick fashion.

"At present, all content on AntiPolygraph.org is back on-line ..."

With George, I'm not surprised by this at all. For those of you who may not know, he was very quick to notice that ggn's anti-spam hack needed some tweaking to make it complete.

Way to go George! Smiley

  

Morning, noon, or night, have a great one!

Note: This forum doesn't allow for us to freely edit our posts or topics to make corrections as needed, so please remember to look for subsequent posts if you see any mistakes or outdated information. Sorry for the inconvenience.
Back to top
IP Logged
 
George Maschke
Full Member
***
Offline



Posts: 315
Re: Spambots as DDoS?
Reply #12 - Mar 9th, 2013 at 9:12am
Post Tools
Thanks, Bill!

Thus far, I am very pleased with my new web hosting company, OrangeWebsite.com. I'm still on a shared server, but it seems to be much more robust than the one I had with CanadianWebhosting.com (which I strongly suspect had oversold accounts on the server that hosted my site).

Since moving to OrangeWebsite.com, I have actually deleted the .htaccess file for my forum (and entire site). My IP blocks had unintentionally blocked some Tor proxy network exit nodes. So far, there have been no ill effects. (I think the server may have some sort of spam flooding detection.)
  

Back to top
IP Logged
 
depablo
YaBB Moderators
YaBB Next Team
Beta Testers
***
Offline



Posts: 577
Location: UK

None
Re: Spambots as DDoS?
Reply #13 - Mar 9th, 2013 at 11:15am
Post Tools
George
Glad you got it sorted, loads fine from the UK.

Only one small problem, once you start reading the content you cannot stop, some very interesting debates on the subject.
  

Taking a peek behind the mask Wink
Back to top
 
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 2,372
Location: Earth

YaBB 2.6.1
Re: Spambots as DDoS?
Reply #14 - Mar 9th, 2013 at 4:17pm
Post Tools
Excellent! One of the beauties of the flat-file system - once you have your backup, all it takes is upload time, checking CHMODs and editing one file to get YaBB up and running on a new server. (Been there, done that, should get the t-shirt.)  Wink
  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
Page Index Toggle Pages: [1] 2 
Topic Tools
 
  « Board Index ‹ Board  ^Top