Page Index Toggle Pages: 1
Topic Tools
Normal Topic Impending denial of service. (Read 1,835 times)
oldbrad
YaBB Newcomer
*
Offline



Posts: 9
Location: UK
Impending denial of service.
Sep 13th, 2013 at 11:28am
Post Tools
Hello Admins,

The ever increasing volume of automated registration attempts has finally forced me to disable on-line guest registration. ie 'Select the registration scheme for this forum' set to 'Only admin can register new members'.

This works fine for our low volume forum, but: In a attempt to kill the resulting torrent of error messages I have installed and configured fail2ban. This is a log analyser which is configurable to make iptables block entries for the offending IPs for some specified time before unblocking.

Initially I effected a 1 week block. With a net result of NO decrease in the number of attempts! I now permanently block the offending IPs with the result NO DECREASE in the number of attempts! This means the bots, or whatever, are either increasing in number exponentially or switching IP address.

Today I'm seeing of the order of 150 IP addresses per day being permanently blocked! While writing this post I have 10 more.

The received wisdom is that when the number of iptables rules exceeds, of the order of, 25000 records iptables will be destabilised.

If something doesn't change, a simple calculation says that in under 6 months I will effectively have a 'denial of service' situation!

I can of-course disable fail2ban and just ignore "Error: The registration feature has been disabled on this forum." and/or turn off error logging, even disable apache logging. (Not a good idea.)

The point is that if permanent IP blocks at the firewall are NOT effective then NOTHING is. Sooner or later the volume of automated hits results in  DENIAL OF SERVICE.

Therefore, something else has to be done to stop, or at least reduce, the source of these attempts.

Ideas?
« Last Edit: Sep 13th, 2013 at 11:40am by oldbrad »  
Back to top
 
IP Logged
 
Derek Barnstorm
Support Team
YaBB Next Team
Development Team
Beta Testers
****
Offline



Posts: 1,269
Location: United Kingdom

None
Re: Impending denial of service.
Reply #1 - Sep 13th, 2013 at 12:30pm
Post Tools
Hi oldbrad,

I'm not aware of any Firewalls which could be used. The only one I am aware of is ZB Block (http://www.spambotsecurity.com/zbblock.php), but that is for PHP sites, so don't think it would be any good for a Perl based forum.

So, the only things I can think of is to block the IPs at server level (.htaccess). If you opened back up your registration process, then you could install the StopForumSpam mod: http://www.boardmod.org/yabb2/YaBB.pl?num=1315522544 - That mod has as setting to automatically add offending IPs to The Guardian to block them at server level.

Also, probably not an option you want to consider, but if it isn't important that your forum appears in search engines, then have your robots.txt stop search engines from crawling your site. You should find that stops spam attempts significantly.
« Last Edit: Sep 13th, 2013 at 12:34pm by Derek Barnstorm »  
Back to top
 
IP Logged
 
oldbrad
YaBB Newcomer
*
Offline



Posts: 9
Location: UK
Re: Impending denial of service.
Reply #2 - Sep 13th, 2013 at 3:11pm
Post Tools
Derek Barnstorm wrote on Sep 13th, 2013 at 12:30pm:
So, the only things I can think of is to block the IPs at server level (.htaccess). If you opened back up your registration process, then you could install the StopForumSpam mod: http://www.boardmod.org/yabb2/YaBB.pl?num=1315522544 - That mod has as setting to automatically add offending IPs to The Guardian to block them at server level.

The problem with blocks at the .htaccess level, is just that it' s at that level. Bandwidth is still being consumed.

I'm already doing iptables blocking. This works at the TCP level. Once blocked the server no longer exists to the requester.

There is no more effective mechanism!

The point of the post is that ultimately, in my case within 6 months, iptables blocking will effectively result in a denial of service.

In the event that the spam bot attempts increase at the apparent current rate, then sooner or later any kind of blocking has to consume all server resources! Given that iptables blocks happen at the lowest possible level. Doing anything at a higher level, logging, modifying .htaccess or whatever after the request reaches the server must amount to a denial of service eventually.

My calculations show iptables blocks WILL FAIL in 6 months. I've no idea how long it takes to generate an .htaccess files that become so big that the server spends all its time scanning to determine which IPs to block?

What we need is to slow down the number of fake requests. By definition, that cannot be accomplished from inside the firewall.

The immediate solution then appears to be reject all HTTP at the incoming router. Game over, sysadmins nil spam bots won Cry
  
Back to top
 
IP Logged
 
Bill Myers
God Member
Beta Testers
*****
Offline



Posts: 1,728
Location: Los Angeles

YaBB 2.4
Re: Impending denial of service.
Reply #3 - Sep 13th, 2013 at 8:32pm
Post Tools
oldbrad wrote on Sep 13th, 2013 at 11:28am:
... something else has to be done to stop, or at least reduce, the source of these attempts.

Ideas?

My recommendation is to install ggn's anti-spam CAPTCHA hack, which has been written as a mod for YaBB's next version. You can see it at work by going to the General Board of Dandello's YaBB 2.5.4 Alpha test bed forum (near the bottom).

I've been using it for the last couple of years in a relatively active forum, and not one single spam-bot has been able to register. Not one!

This anti-spam tool has been so effective that I actually allow guest posting, and I never need to block IP addresses because of spam bots. My error log is full of blocked attempts. Today alone as I post this, I've had about 500 spam-bot blocks in the last 2 hours.

If you give it a try, you'll be pleasantly surprised by the results. Smiley

« Last Edit: Sep 13th, 2013 at 8:35pm by Bill Myers »  

Morning, noon, or night, have a great one!

Note: This forum doesn't allow for us to freely edit our posts or topics to make corrections as needed, so please remember to look for subsequent posts if you see any mistakes or outdated information. Sorry for the inconvenience.
Back to top
IP Logged
 
------
Senior Member
Beta Testers
****
Offline



Posts: 528
Re: Impending denial of service.
Reply #4 - Sep 13th, 2013 at 10:09pm
Post Tools
oldbrad wrote on Sep 13th, 2013 at 11:28am:
This means the bots, or whatever, are either increasing in number exponentially or switching IP address.

As you have found out blocking IP with the .htaccess is not always successful. Personally I feel a blocked IP is only good for about 3 months after that its a good chance a legit person might be using it.

Using .htaccess to prevent bots crawling your site helps reduce bandwidth, you just need to remember not all bots are bad so you need to be careful which ones you block.

Derek suggests StopForumSpam, I use it and I fully recommend it. Another great one is Spamfruits. Between these two mods all spammer registrations are blocked at the forum level. Sadly they don't reduce bandwidth.

IMO gnn's anti-spam is only useful if you allow guests posting.
  
Back to top
 
IP Logged
 
xnoddyx
Support Team
Documentation Team
YaBB Moderators
YaBB Next Team
Beta Testers
****
Offline



Posts: 1,593
Location: UK:Scotland/livingston

None
Re: Impending denial of service.
Reply #5 - Sep 14th, 2013 at 10:08am
Post Tools
Hi oldbrad
from reading your posts all i can suggest is that you turn on proxy banning in The Guardian and also ask what your host flood control is like if they have one and ask them if you have flood controls to lower your requests per minute.
i am attaching a copy off a error log from one of my forums as you will see it has 400 errors from Yesterday and today just spam bots and this is with Proxy Blocking and this is a small forum on average it has 500 to 700 errors a day and with Proxy Blocking off it can see upto 1000+ a day and this is not showing the ones that my host are stopping with flood control. one think i am curious about is who your host is.
« Last Edit: Sep 14th, 2013 at 10:08am by xnoddyx »  

yabb-error-log.txt ( 67 KB | 46 Downloads )

YaBB install help video
1. what yabb forum are you running and the url
2. describe in as much detail as you can what happens and also post screenshots if you can
3. please be patient we live in different time zones and have other commitments but we will help you
as bill and ted say (Be excellent to each other)
Back to top
IP Logged
 
Page Index Toggle Pages: 1
Topic Tools