Epic ongoing BATTLE with Singaporean botnet; UPDATE #2 - it's over...for now!

[w-u-2-o]

All,

My apologies for the interruptions in service, but the board is currently engaged in an epic battle with a botnet or other bad actors located in Singapore.

Whatever their goals it has essentially amounted to a denial of service attack.

The board had reached 300,000 guest users and ground to a halt.

I have enabled a much stricter IP address block list, but now that total is only down to 37,000!

At this point I'm going to have to block the entire IP range of Singapore. My further apologies to any members who might be located there. All I can tell you is that you may wind up having to use a VPN to overcome that geo-restriction.

More to follow as the battle progresses...

73,

Scott

[w-u-2-o]

Update #1: making some progress.

I've got the number of established connections at the firewall output down to < 100, and the number of page pulls in a 1 minute period to < 300. The AIs tell me this is pretty good.

You can see where the attack started on 9 Feb. We are now headed into the 20th hour of the attack and it continues unabated.

Capture.JPG (44.75 KiB) Viewed 150 times

I now have to make the changes to the firewall (iptables) persistent across reboots, create scripts for the blocklists to auto-update, and I think that I will add country blocking for both Russia and China as well.

The bots tend to make between 6 and 8 simultaneous connections to the forum per IP address. I will also probably modify the web server to limit it to 4.

As this is not my "day job" it's probably going to take me another two or three days to get this done.

The battle continues!

[KA5KKT]

√

[JJ4SDR]

Thank you for your efforts Scott!!

Juha
NI2M

[w-u-2-o]

Update #2: it looks like the attack is over.

Capture.JPG (38.64 KiB) Viewed 75 times

That's nice, because now work to increase the forum's defenses can proceed in a more leisurely manner. Because there WILL be a next time.

I appreciate everyone's patience yesterday, thank you.

Please note: as improvements to the firewall are made it may be necessary to restart the server and/or restart the forum. This may kick people off and/or log them out. Please continue to be patient. I will post again when the work is complete. In the meantime, things should be 90% back to normal.

Thanks,

Scott

[K1LSB]

Thank you very much, Scott!

This incident makes me wonder why on earth would anyone decide to devote any resources to a directed attack against this website?

Mark

[PH7R]

Is it an attack or CN downloading all info to feed AI models?

[w-u-2-o]

Is it an attack or CN downloading all info to feed AI models?

When I started drilling down into the mysql database that drives the forum to understand what was going on, I primarily focused on the phpbb session table. The first thing I saw was over 300,000 sessions registered. No properly behaved bot, crawler, indexer, or whatever, would do such a thing. But the real tell was the browser ID info, which showed a metric sh*t-ton of iPhone browsers and maybe a quarter-sh*t-ton of MacOS browsers. I'm guessing it was some sort of bot-farm operation and not anything legit.

After making some initial adjustments to the iptables firewall, I could purge all established connections at both the port level and the forum session database level and it would still fill up with 2000 connections and 30,000 sessions within seconds. Only after I added country-specific IP blocking for Singapore did it calm down to manageable proportions, meaning after a purge it there would be < 100 connections and < 300 sessions.

Normal conditions are around 20 connections and about the same for sessions.

Bot-farming is evil

photo_2025-05-09_11-45-44-1-580x1024.jpg (84.63 KiB) Viewed 12 times

[Trucker]

Scott, glad you are watching the front and back doors. It's a shame that there are idiots out there spending so much time trying to find ways to steal from others.
James
WD5GWY