Abusive Hits Per Day

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • barelist
    Confirmed User
    • Jan 2009
    • 523

    #1

    Abusive Hits Per Day

    I've been noticing some really high hits from certain ips over the last few weeks.

    Mainly from Germany, Russia, and China... in 24hrs I had two ips hit 74,181 and 18,696 hits.

    I've writen an app before which will block IPs based on hits in a certain timeframe, but not for adult.

    What would you consider excessive hits from one IP in a 24hr period?
    http://www.barelist.com
    http://www.twitter.com/barelist
  • RayBonga
    too cool for highschool
    • Nov 2005
    • 12164

    #2
    any idea why this is happening?

    Comment

    • barelist
      Confirmed User
      • Jan 2009
      • 523

      #3
      Originally posted by RayBonga
      any idea why this is happening?
      No idea... I noticed a 20mbps increase in bandwidth... I knew something was up.
      http://www.barelist.com
      http://www.twitter.com/barelist

      Comment

      • SmokeyTheBear
        ►SouthOfHeaven
        • Jun 2004
        • 28609

        #4
        isolate what they are hitting first.
        hatisblack at yahoo.com

        Comment

        • barelist
          Confirmed User
          • Jan 2009
          • 523

          #5
          At that level of hits it doesn't matter to me. If it's not a search engine spider nothing needs to hit the site near that many times.

          If a valid surfer is blocked, I'll redirect blocked IPs to a friendly error page with contact info if they think they've been blocked by mistake.
          http://www.barelist.com
          http://www.twitter.com/barelist

          Comment

          • EdgeXXX
            Confirmed User
            • Oct 2005
            • 5816

            #6
            Normally I would say they are trying to run U:P lists against your site, but seeing as you have free registration that wouldn't make a whole lot of sense.
            .
            .
            .
            .

            I have a sig

            Comment

            • barelist
              Confirmed User
              • Jan 2009
              • 523

              #7
              I have a lot of buffer in terms of bandwidth, so that's not a problem yet... mainly it's just wasted bw and it's slowing my page down. After speeding a few weeks on page speed that's pretty annoying :/
              http://www.barelist.com
              http://www.twitter.com/barelist

              Comment

              • DateDoc
                Outside looking in.
                • Feb 2005
                • 14243

                #8
                If you host any of the videos on your site see which ones are being hotlinked.

                Comment

                • 1200mics
                  Confirmed User
                  • Sep 2005
                  • 5131

                  #9
                  Why would they do that ?

                  Comment

                  • barelist
                    Confirmed User
                    • Jan 2009
                    • 523

                    #10
                    Here's a few of the IPs I've noticed hammering the site the last few days:
                    61.145.136.114
                    77.88.26.27
                    79.203.75.91
                    88.64.52.20
                    125.85.15.25
                    221.174.16.60
                    http://www.barelist.com
                    http://www.twitter.com/barelist

                    Comment

                    • woj
                      <&(©¿©)&>
                      • Jul 2002
                      • 47882

                      #11
                      like smokey said you need to figure out what they are hitting first, look in the log files..
                      Custom Software Development, email: woj#at#wojfun#.#com to discuss details or skype: wojl2000 or gchat: wojfun or telegram: wojl2000
                      Affiliate program tools: Hosted Galleries Manager Banner Manager Video Manager
                      Wordpress Affiliate Plugin Pic/Movie of the Day Fansign Generator Zip Manager

                      Comment

                      • mkx
                        Confirmed User
                        • Nov 2003
                        • 4001

                        #12
                        they are probably jacking your website content to make their own

                        Comment

                        • barelist
                          Confirmed User
                          • Jan 2009
                          • 523

                          #13
                          Originally posted by woj
                          like smokey said you need to figure out what they are hitting first, look in the log files..
                          Looks like web scrapers... pulling a bunch of .aspx and .html pages without any content on them.

                          Then all of a sudden there will be a bunch of thumbs with no page opened...
                          http://www.barelist.com
                          http://www.twitter.com/barelist

                          Comment

                          • barelist
                            Confirmed User
                            • Jan 2009
                            • 523

                            #14
                            Wrote an app to discourage abuse and block IPs... I'm just not sure if I'm being too liberal or too strict. I guess I'll find out soon enough.

                            Here's a graph of where my bandwidth was spiking 15-30mbps over the last week or so:
                            http://www.barelist.com
                            http://www.twitter.com/barelist

                            Comment

                            • SmellyNose
                              Confirmed User
                              • Aug 2009
                              • 206

                              #15
                              What language? Is it a cronjob to check your access log sort of like:

                              Code:
                              cat /var/log/apache2/access.log | awk '{print $1}' | wc -l
                              I will be looking at implementing something similar soon so would be interested in your thoughts on your current setup.
                              I'm a PHP developer - 594086663 - [email protected]

                              Comment

                              • barelist
                                Confirmed User
                                • Jan 2009
                                • 523

                                #16
                                Originally posted by AdultStoriesNow
                                What language? Is it a cronjob to check your access log sort of like:

                                Code:
                                cat /var/log/apache2/access.log | awk '{print $1}' | wc -l
                                I will be looking at implementing something similar soon so would be interested in your thoughts on your current setup.
                                .net

                                I'm grabbing low level ip hits (no client needed) over all my sites and if hits exceed a certain number over a set interval it's flagged as abuse and the app blocks the IP in IIS.

                                Had my wife and myself browse the site pretty heavy, but stopping like a surfer would, then figured out a number of hits to start with. I'll probably look over the blocked ips for the next week and see if I'm blocking any legit looking IPs. I'll also see how the bandwidth changes.

                                They are then directed to a 403 page with contact information if they feel they were blocked in error
                                Last edited by barelist; 01-23-2010, 03:21 PM.
                                http://www.barelist.com
                                http://www.twitter.com/barelist

                                Comment

                                • raymor
                                  Confirmed User
                                  • Oct 2002
                                  • 3745

                                  #17
                                  For Throttlebox we graphed the derivative of IP versus hits.
                                  The knee in the graph clearly shows normal versus abusive behaviour.
                                  Alternatively, slight less accurate is to graph to top X IPs where
                                  X is high enough to show the knee. Here's an example of that from
                                  Throttlebox:

                                  https://bettercgi.com/throttlebox/ma...oosing_limits/

                                  You see in the graph that the second highest, third highest etc. are roughly
                                  linear with a near horizontal slope. That's indicative of normal usage. In the
                                  case of the graph illustrated, only the #1 top user is far from being linear with
                                  the others - that's the abusive one.

                                  For another example, let's say the graph looked like this:

                                  Code:
                                  20 #
                                  19 #
                                  18 ##
                                  17 ###
                                  16 ###
                                  15 ###
                                  14 ####
                                  13 ##### 
                                  12 #####
                                  11 #####
                                  10 #####
                                  9  ######
                                  8  ######
                                  7  ########
                                  6  #########
                                  5  ############
                                  4  ##############
                                  3  #####################################################
                                  2  #################################################################
                                  1  ####################################################################
                                  In this ASCII graph, the top three are way out of line from the others, which is
                                  indicative of abuse.

                                  That will tell you where the cut off line should be, but that's the easy part.
                                  There are much more difficult issues to work out before you have something
                                  truly effective.

                                  You have to be careful since you're working with IPv4 addresses.
                                  You should expect that AOLs proxies and DTAGs proxies, for example, are going to
                                  have a LOT more hits than any normal IP, on a site with a broad user base.
                                  If the site has 12 AOL users on at different times of the same day, six of those
                                  users may show up as the same IP.

                                  On the other side, an cracker going through a zombie web server may use all sixteen
                                  IPs on that server, so you really want to look at ranges of IPs as well.

                                  I know I'm throwing a lot out there at you, but only because there are a lot of things
                                  to consider.
                                  We've been working on "detect and stop abuse" for a decade and half and still need
                                  to do updates all the time in order to remain optimally effective.
                                  For historical display only. This information is not current:
                                  support&#64;bettercgi.com ICQ 7208627
                                  Strongbox - The next generation in site security
                                  Throttlebox - The next generation in bandwidth control
                                  Clonebox - Backup and disaster recovery on steroids

                                  Comment

                                  Working...