Announcement

Collapse
No announcement yet.

Any help identifying DoS Attacks?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Any help identifying DoS Attacks?

    As several of you who have had the misfortune to run over your monthly bandwidth allotment, I searched the forums and knowledgebase to find out what the problem was.
    • We saw a 500% spike in bandwidth usage
    • there was no increase in analytics or sales
    • there were no changes to the site


    Like I said, I've read the forums and have seen the cynical ("why would 3dcart help when they charge $5/GB of overage") argue with the proud ("it's nobody's responsibility but your own to monitor your site's bandwidth usage"). I've seen people sing the praises of Smarter Stats, but I haven't seen any guides for using them. I've seen people blocking IP addresses and not knowing why. I tried all the same things.

    I contacted 3dcart support and they had me make changes to my site that would drive down bandwidth usage. That didn't work for me. I know that the advice I got there was good: using my Smarter Stats and optimizing the files that get the most traffic, enabling advanced page cache, etc. But like I said before -- the amount of legitimate traffic to our site has been static, as has our site. I made the changes suggested, but they did not affect change. Their next suggestion, upgrading my plan again, to a third level above what we need, I will not take.

    So, instead of haphazardly blocking IPs, I'm reaching out to the community. What DoS attacks have you received? Besides researching each IP that takes up the most bandwidth, how do you decide which IPs are legitimate customers? How do I/how do you currently idendtify the source and method of attack of these DoS attacks? Besides blocking IPs and changing the robots.txt file (which a DoS attacker will ignore anyway), what measures can we take?

    For those of you just as lost as I am, I've been using Smarter Stats to first: identify the IPs that use the most bandwidth, then do the following:
    • search for them online to see if they are associated with any blacklists
    • see if they're located outside of the country (we don't do any international business currently)
    • Use the data mining feature in Smarter Stats to see what the top files requested by the IP are (see if it's a real user or a bot)
    • Block it and hope it's not a legitimate user or Search Engine bot.


    Any advice or resources you might be able to point me to would be greatly appreciated.
    Webmaster: Texas Media Systems

  • #2
    Attack 01

    I found that in the past month, the three IPs using the most bandwidth were all targeting the same URL. Funnily enough, that URL is one I created specifically for an ad that runs on a web forum. Checking that ad's stats for the month, I found that there had been no clicks on it.

    I submitted the 3 IPs to the site admin who checked and said that none of them had visited the site.

    The three IPs were using Amazon's Elastic Compute Cloud (EC2) service. I've reported the abuse to Amazon. We'll see if they can give me any information on who was using those IPs.

    STAY TUNED...
    Webmaster: Texas Media Systems

    Comment


    • #3
      Attack 02

      I banned the three IPs above last week. The IP giving me the most trouble this week is requesting pages in an abnormal fashion. I haven't figured out why or if this will help me track them down.

      EXAMPLE:
      /zeiss-set-of-shims-cp2_p_0-5361.html
      /zeiss-set-of-shims-cp2_p_5361.html


      The top one adds "0-" to the item number. Why? If anyone understands what is going on here or if this behavior clearly shows abuse somehow, please clue me in.

      UPDATE:
      Using WHOIS to find out who is behind this particular IP (after using several different sites for this, I prefer http://en.utrace.de), I tried calling the OrgAbusePhone listed. The person there told me I should contact my local host to determine if the IP is malicious and then contact them back if it is. Here are some steps he said the web host could take:
      • setting up a black hole
      • looking at flows
      • create access lists

      I don't know what any of that is, but I'd like to try it. I'm going to research it now. Can 3dcart facilitate any of the above?
      Last edited by TMS Clint; 04-18-2013, 04:39 PM.
      Webmaster: Texas Media Systems

      Comment


      • #4
        Does your merchant processor require quarterly scans? If so, that can sometimes be the culprit. We have mandatory quarterly scans, and the day the scan is run, my bandwidth ALWAYS goes over the allotted amount. We use ControlScan.
        Chris
        TC Life Safety
        TC Wireless

        Comment


        • #5
          Originally posted by tclifesafety View Post
          Does your merchant processor require quarterly scans? If so, that can sometimes be the culprit. We have mandatory quarterly scans, and the day the scan is run, my bandwidth ALWAYS goes over the allotted amount. We use ControlScan.
          I had not considered that. However, looking into it, that is not the case. Thank you for the suggestion!
          Webmaster: Texas Media Systems

          Comment


          • #6
            Attack 01 Update

            I got a response from Amazon requesting the following information on the three IPs that attacked me using their EC2 Service:

            * Destination IP (your IP)
            * Destination Port and Protocol
            * Accurate Date, Time and *Time Zone* of activity
            * Intensity and frequency of activity in short log extracts, no larger than 4KB

            I've submitted a support ticket to get this information. Will continue to update this thread as new developments... develop.
            Webmaster: Texas Media Systems

            Comment


            • #7
              We have been getting attacked. We now have around 750 unfinished orders. When we go in there to look at them, they are filled it up with spammy urls in the order form. We contacted the company (from the IP) and it has slowed down.

              Comment


              • #8
                I was getting those SPAM incomplete orders on my Gift Certificates (lots of text fields for them to play with) and it was driving me crazy. I was exporting the orders, extracting the ip addresses, blocking them and news ones would pop up.

                I ended up implementing Cloud Flare (free version) and it pretty much eliminated the problem. And a side benefit was that it cut my bandwidth.

                Comment


                • #9
                  Originally posted by TomCrable View Post
                  I ended up implementing Cloud Flare (free version) and it pretty much eliminated the problem. And a side benefit was that it cut my bandwidth.
                  Tom! Thanks for the tip, I've been able to identify the big attacks (after the fact) and block the IPs, but have been having a harder time distinguishing which of the smaller IPs were attackers vs. legitimate customers. Even then, that's information I've gathered after the fact.

                  Cloud Flare looks like it would be a good solution, but we're running our web store through a subdomain and CF requires a top-level domain. I'm trying to find the best way to transition over without losing backlinks. Otherwise, CF's top-level DDoS Protection was cheaper than the other services I found.

                  Thanks again!
                  Webmaster: Texas Media Systems

                  Comment

                  Working...
                  X