Server Stress: Attack Of The Clones

As if my mail server worries weren't enough, one of the LISHosted sites came under attack starting on Friday by a dedicated and dangerous spammer botnet. At least I'm as sure as I can be at this point that they're just spammers. They have a HUGE number (probably 2,000 at least) of servers they're using to do Trackback, comment and link spam, and they're targeting quite a few different domains on the LISHost server. For some reason they really love one domain in particular. Hits to that site's Wordpress comment file number in the 10s of thousands, while all other sites get just a few hundred from the same IP ranges. They're hitting mostly MT and WP comment forms, but they're also throwing in some referral spam for good luck. It also looks like they're adding new computers to their network all the time because there seems to be a big jump in new IPs around 7 am EST, and then again about 4 or 5 hours later.

I still don't think they're out to bring down the server or that one site on purpose, but I can't be sure. If I had to guess they simply have something misconfigured on their botnet and as a result one site is getting destroyed.

I'm fine tuning the scripts I use to detect & block the bad guys, and I think they're getting pretty accurate. I added a new one last night that did a great job in finding several hundred new IPs. From what I can tell I'm doing a good job at only blocking bad computers, I've only heard from one person that I can't seem to unblock for some reason. I'm using a combination of mod_evasive, mod_security, 3 shell scripts I wrote, and now a modified version of SSHBlack. These are all watching for patterns, and then firewalling the offending IP via iptables.

There's a new phrase I've been using the past few days, "I have server stress."

Comments

With all the bad hackers in the world...

aren't there any good ones to shut these people down?

Syndicate content