I’ve been doing some more digging tonight and also looking for solutions. The best solution seems to be to block them at the network firewall rather than in the web server/forum software. That way they’re dealt with as soon as possible after they hit the server and therefore don’t load the server too much by having to be processed by additional layers of software.
The bigger problem is what to block. Some of the traffic seems to be coming from addresses in allocated Chinese sub-nets, so those can be blocked (assuming there are few - if any - legitimate Chinese users of the forum). However, there also seems to be traffic that looks like some of the Chinese traffic coming from US addresses, some from Amazon AWS allocated addresses. I don’t think it would be a popular move to block US IP sub-nets based on this!
Part of the problem is actually identifying which packets arriving are the problem ones. There are certainly a lot with Chinese phone types and browsers, but there are dozens of variations…maybe hundreds. However, I’d need to implement a web server firewall to block based on these (assuming I could find a stable set of browser/phone types to block) and that’s less efficient than blocking at the network level based on IP address though (see above).
For now I’m going to try blocking based on Chinese IP addresses to see what that does to the traffic. Maybe the US/AWS traffic is low level enough not to cause problems, but I’ll have to see. I need to modify a script to manage adding the Chinese sub-nets into the firewall. The firewall already has rules and the scripts I can find to create country specific blocks appear to assume that they’re working with a default/unconfigured firewall. Firewall mods are always fun. Hopefully I won’t block myself or any of you in the process!
I’ve implemented some new firewall rules that block various known threat addresses and all (known) Chinese IPs and IP sub-nets. The rules update the firewall block lists every hour so they should pick up any changes fairly quickly.
A quick visual check of the logs suggests there are fewer odd Chinese phones/browsers present but the traffic doesn’t seem to be constant 24*7 so maybe they’re just quiet at the moment. Lets see how it goes for a day or two with the new rules in place and then assess what else needs to be done.
From what I recall when I still had my own web server you could block AWS IP’s (assuming the volume is significant) without causing problems for legitimate visitors. Anyone using an Amazon cloud server to hit this forum is likely up to no good IMHO.
Is there a list of AWS IPs available? I’m not sure how big a problem it is though. I know I saw a couple of AWS addresses but i wasn’t using any scientific sampling process to check where access was coming from so they might have been fairly low volume.
What’s puzzling me most is what all this traffic is trying to do.
It’s from a lot of different IP addresses. Many claiming to be using lots of different versions of Chrome on Android. Accessing many different messages in the forum, but often the same message by a number of different guests at the same time which suggests collusion between the guests. The number of different IP addresses and Chrome versions suggests an attempt to hide the true identity of the ‘attacker’. It’s a form of DDOS but why? It’s not killing the server, just making it slower for other users, so it’s only a partial DDOS at best. In any case why launch a DDOS against the forum? It’s not as if it’s economically or geopolitically significant. No-one has said ‘pay us $$$$ and we stop’, not that I’d pay. So why spend compute and network resources bothering to do it. Given the level of collusion between guests it wouldn’t appear to be script kiddie based. Groups with the ability to launch something like this do it for a reason and I don’t see a reason!
The only similar thing i encountered was /is hidden text in postings.
Groups who want to exchange links or ideas or any information and have a repressive government, use “trusted” forums which are unsuspected by the intelligence people they try to hide from.
They post a few messages which when read do not reveal much.
They hide some links in plain sight with a not suspicious name (f.i. “my new ws192 temp sensor”) but the link should go to their “important” information.
Or they have a message with some text in black and large “whitish” areas. Only when selecting the white area one can see the “hidden” text.
They also work often “two-phases” First they post those messages weeks before using them, without suspected links, with only irrelevant black texts.
Weeks later, they change the content of the message, so first it was a link to an image of a “ws192 temp sensor” after the change weeks later it is something totally different. A small two line post has suddenly a large “white / uncolored” area at the bottom. And changed messages do not appear in “Recent posts”, no-one else checks those old posts.
If you have a ranking of visited posts, you could check a few if they hide their information that way.
But if they want to work this way, they indeed used the wrong forum as this forum can not handle thousands of visitors
Only very few people post, the others are reading and following the links.
There are more than 8500 members, most of them have only a few posts. Can be anyone.
If I sent you 68356 549862 you can go to that topic and to that message.
Dozens of ways to distribute the keys
I keep a pretty close eye on who posts what. Any new member who posts junk or non wx related stuff usually gets deleted very quickly along with the post(s). I would be very surprised if there is any volume of secret posting here, unless it’s being done by someone we know with a keen interest in WD.
I don’t think it’s that unless they’re also looking at lots of other posts as well to disguise what they’re doing. Today some of the rogues are looking at a topic last posted to in 2009 and one where the only posters are very long-standing members of the forum.
I may be getting closer. I’ve managed to get a web stats run to complete (the logs are pretty huge) and the DNS cache indicates a lot of hits are coming from the 163data.com.cn. At least some of those should be blocked by the firewall so I think something might be wrong in the firewall rules.
Just now 483 Guests and 3 Users…and it was very slow to load. I’m not sure if it is totally related to these Guests. Maybe it has to do with traversing the pond. Perhaps a CDN would help.
I find it slow when the guests are on and good performance when they aren’t. The forum has been hosted in the current location for s number of years without many comments about performance and the recent performance issues have only started since the ‘guests’ arrived.
