YaBB Community and Support Forum
YaBB Home About YaBB Download YaBB YaBB Support Customize Your Forum Development Contribute to the Project
  Welcome, Guest. Please Login or Register


 
Page Index Toggle Pages: 1
Topic Tools
 
Impending denial of service. (Read 840 times)
 Sep 13th, 2013 at 11:28am
There are no actions to perform.  

oldbrad 
YaBB Newbie
*
Offline
Posts: 9
UK


None
Impending denial of service.
Hello Admins,

The ever increasing volume of automated registration attempts has finally forced me to disable on-line guest registration. ie 'Select the registration scheme for this forum' set to 'Only admin can register new members'.

This works fine for our low volume forum, but: In a attempt to kill the resulting torrent of error messages I have installed and configured fail2ban. This is a log analyser which is configurable to make iptables block entries for the offending IPs for some specified time before unblocking.

Initially I effected a 1 week block. With a net result of NO decrease in the number of attempts! I now permanently block the offending IPs with the result NO DECREASE in the number of attempts! This means the bots, or whatever, are either increasing in number exponentially or switching IP address.

Today I'm seeing of the order of 150 IP addresses per day being permanently blocked! While writing this post I have 10 more.

The received wisdom is that when the number of iptables rules exceeds, of the order of, 25000 records iptables will be destabilised.

If something doesn't change, a simple calculation says that in under 6 months I will effectively have a 'denial of service' situation!

I can of-course disable fail2ban and just ignore "Error: The registration feature has been disabled on this forum." and/or turn off error logging, even disable apache logging. (Not a good idea.)

The point is that if permanent IP blocks at the firewall are NOT effective then NOTHING is. Sooner or later the volume of automated hits results in  DENIAL OF SERVICE.

Therefore, something else has to be done to stop, or at least reduce, the source of these attempts.

Ideas?
« Last Edit: Sep 13th, 2013 at 11:40am by oldbrad »  
WWW  
IP Logged  
 Reply #1 - Sep 13th, 2013 at 12:30pm
There are no actions to perform.  

Derek Barnstorm 
Support Team
YaBB Next Team
Development Team
Beta Testers
****
Offline
Posts: 1,269
United Kingdom


YaBB 2.5
Re: Impending denial of service.
Hi oldbrad,

I'm not aware of any Firewalls which could be used. The only one I am aware of is ZB Block (http://www.spambotsecurity.com/zbblock.php), but that is for PHP sites, so don't think it would be any good for a Perl based forum.

So, the only things I can think of is to block the IPs at server level (.htaccess). If you opened back up your registration process, then you could install the StopForumSpam mod: http://www.boardmod.org/yabb2/YaBB.pl?num=1315522544 - That mod has as setting to automatically add offending IPs to The Guardian to block them at server level.

Also, probably not an option you want to consider, but if it isn't important that your forum appears in search engines, then have your robots.txt stop search engines from crawling your site. You should find that stops spam attempts significantly.
« Last Edit: Sep 13th, 2013 at 12:34pm by Derek Barnstorm »  
 
IP Logged  
 Reply #2 - Sep 13th, 2013 at 3:11pm
There are no actions to perform.  

oldbrad 
YaBB Newbie
*
Offline
Posts: 9
UK


None
Re: Impending denial of service.
Derek Barnstorm wrote on Sep 13th, 2013 at 12:30pm:
So, the only things I can think of is to block the IPs at server level (.htaccess). If you opened back up your registration process, then you could install the StopForumSpam mod: http://www.boardmod.org/yabb2/YaBB.pl?num=1315522544 - That mod has as setting to automatically add offending IPs to The Guardian to block them at server level.

The problem with blocks at the .htaccess level, is just that it' s at that level. Bandwidth is still being consumed.

I'm already doing iptables blocking. This works at the TCP level. Once blocked the server no longer exists to the requester.

There is no more effective mechanism!

The point of the post is that ultimately, in my case within 6 months, iptables blocking will effectively result in a denial of service.

In the event that the spam bot attempts increase at the apparent current rate, then sooner or later any kind of blocking has to consume all server resources! Given that iptables blocks happen at the lowest possible level. Doing anything at a higher level, logging, modifying .htaccess or whatever after the request reaches the server must amount to a denial of service eventually.

My calculations show iptables blocks WILL FAIL in 6 months. I've no idea how long it takes to generate an .htaccess files that become so big that the server spends all its time scanning to determine which IPs to block?

What we need is to slow down the number of fake requests. By definition, that cannot be accomplished from inside the firewall.

The immediate solution then appears to be reject all HTTP at the incoming router. Game over, sysadmins nil spam bots won Cry
 
WWW  
IP Logged  
 Reply #3 - Sep 13th, 2013 at 8:32pm
There are no actions to perform.  

Bill Myers 
God Member
Beta Testers
*****
Offline
Posts: 1,482
Los Angeles


YaBB 2.4
Re: Impending denial of service.
oldbrad wrote on Sep 13th, 2013 at 11:28am:
... something else has to be done to stop, or at least reduce, the source of these attempts.

Ideas?

My recommendation is to install ggn's anti-spam CAPTCHA hack, which has been written as a mod for YaBB's next version. You can see it at work by going to the General Board of Dandello's YaBB 2.5.4 Alpha test bed forum (near the bottom).

I've been using it for the last couple of years in a relatively active forum, and not one single spam-bot has been able to register. Not one!

This anti-spam tool has been so effective that I actually allow guest posting, and I never need to block IP addresses because of spam bots. My error log is full of blocked attempts. Today alone as I post this, I've had about 500 spam-bot blocks in the last 2 hours.

If you give it a try, you'll be pleasantly surprised by the results. Smiley

« Last Edit: Sep 13th, 2013 at 8:35pm by Bill Myers »  
Morning, noon, or night, have a great one! ...
WWW BillHMyers  
IP Logged  
 Reply #4 - Sep 13th, 2013 at 10:09pm
There are no actions to perform.  

RonS2 
Full Member
Beta Testers
***
Offline
Posts: 444


YaBB 2.5
Re: Impending denial of service.
oldbrad wrote on Sep 13th, 2013 at 11:28am:
This means the bots, or whatever, are either increasing in number exponentially or switching IP address.

As you have found out blocking IP with the .htaccess is not always successful. Personally I feel a blocked IP is only good for about 3 months after that its a good chance a legit person might be using it.

Using .htaccess to prevent bots crawling your site helps reduce bandwidth, you just need to remember not all bots are bad so you need to be careful which ones you block.

Derek suggests StopForumSpam, I use it and I fully recommend it. Another great one is Spamfruits. Between these two mods all spammer registrations are blocked at the forum level. Sadly they don't reduce bandwidth.

IMO gnn's anti-spam is only useful if you allow guests posting.
 
 
IP Logged  
 Reply #5 - Sep 14th, 2013 at 10:08am
There are no actions to perform.  

xnoddyx 
Support Team
Documentation Team
YaBB Moderators
YaBB Next Team
Beta Testers
****
Offline
Posts: 1,552
UK:Scotland/livingston


YaBB 2.5
Re: Impending denial of service.
Hi oldbrad
from reading your posts all i can suggest is that you turn on proxy banning in The Guardian and also ask what your host flood control is like if they have one and ask them if you have flood controls to lower your requests per minute.
i am attaching a copy off a error log from one of my forums as you will see it has 400 errors from Yesterday and today just spam bots and this is with Proxy Blocking and this is a small forum on average it has 500 to 700 errors a day and with Proxy Blocking off it can see upto 1000+ a day and this is not showing the ones that my host are stopping with flood control. one think i am curious about is who your host is.
« Last Edit: Sep 14th, 2013 at 10:08am by xnoddyx »  
yabb-error-log.txt (67 KB | 39 )
YaBB install help video
1. what yabb forum are you running and the url
2. describe in as much detail as you can what happens and also post screenshots if you can
3. please be patient we live in different time zones and have other commitments but we will help you
as bill and ted say (Be excellent to each other)
WWW xnoddyx xnoddyx1  
IP Logged  
Page Index Toggle Pages: 1
Topic Tools
 

Get Yet another Bulletin Board at SourceForge.net. Fast, secure and Free Open Source software downloads Support This Project BoardMod - YaBB features and templates YaBB Codex - support on installation and usage YaBB Toolbar for your browser

YaBB Facebook Group Page

Vulnerability Scanner

Valid RSS Valid XHTML Valid CSS Powered by Perl
YaBB Chat and Support Community » Powered by YaBB 3.0 Beta!
YaBB Forum Software © 2000-2011. All Rights Reserved.