I get email notifications whenever someone leaves a comment on any blog I operate. Two days ago I got hit by hundreds of spam comment promoting some of the filthiest garbage on the net. I deleted them all.
A couple of features to this particular form of attack: twenty or so comments from the same IP address would get posted to a particular archive entry; then a new IP address would hit a new entry, and so on, for hundreds of posts.
Several hours later, I got hit again. After some investigation I determined a couple of things. First, the volume and timing of the posts made it clear this was an automated attack. Somehow the attacker had gotten a hold of my custom-named comment script and was submitting POST requests using that name. Total submissions: over 1,400.
That led to yesterday's notice. Any attempt to access the old comment script was redirected to a notice page, and a helpful php script emailed the offender's IP address to me.
A few hours ago I checked my mail and had almost a thousand notices that the spammer had hit the script. OK, so clearly the attacker isn't checking the results of his postings.
Then I checked my logs. The attacker was flooding me even as I was trying to stop him! I checked the attacker's current IP address, edited my .htaccess file, and banned it. Then I checked my logs again. The IP had changed in seconds! I banned the new IP. Same result.
I got pissed. I edited the .htaccess file to "deny from all." This shut down all web access to the domain. Then I checked my access and error logs again. An interesting pattern emerged. Each time the attacker got a "Forbidden" notice, the IP changed.
I amended my .htaccess file to deny access only to the comment script, and restored access to the site. Sure enough, the IP addresses kept changing. After a few minutes of "Forbidden" errors, the attacks stopped altogether. I'm sure they'll be back.
I deduce a couple of things from my observations:
I can think of two things that would help stop this type of attack. First, open web proxies either need to shut down or closely monitor themselves for abusive users. Second, blogs with automated comment forms may need to implement throttling without regard to IP address. I hate to turn comments off completely or switch to a registration system, but that might be necessary if this keeps happening.
UPDATE: Two of the websites advertised appear to be hosted by an American company, Atrivo.
This will be useful for law enforcement purposes.
Note to self: Consider additional measures.
Posted by wasylik at May 30, 2004 11:35 PM | TrackBack