Chinese downloads overloading my website

I have seen DNS servers in China poisoned in such a way that lookups of sites that are deemed to be inappropriate are responded to with the address of some random but genuine site. This happened to a company in the UK and resulted in a huge amount of traffic. Why such a DNS poisoning would lead to lots of downloads is less obvious. John

A quick response from the ISP says they're blocking the three hosts and 'monitoring the situatio'.

All the downloading was occuring between certain hours of the day in sequence - first one host between 11 and 12pm. one days rest, then the second host at the same timeon the third day, then the third host on the fourth day.

Same files 262 times each, 17Gb each.

Not normal web activity, as I know it.

RL

Much as I *hate* Captcha this is the sort of DOS attack that it helps to prevent. The other option is to add a script to tarpit or block completely second or third requests for the same large files coming from the same IP address occurring within the hour.

Quite likely. Your ISP should be able to help you with this if they are any good. Most have at least some defences against ridiculous numbers of downloads or other traffic coming from the same bad actor source.

Provided that you don't have too many customers in mainland china blacklist the main zones of their IP address range:

One rogue hammering your site is just run of the mill bad luck but three of them doing it in quick succession looks very suspicious to me.

Beijin, Harbin and roaming.

Yeah. You gotta ask yourself; what's the friggin' point?

RL

Any idea what's involved - preferably anything that doesn't owe to Google?

ISP bumped up limit for this month as courtesy, after blocking the first three hosts, but a fourth host just gobbled that up.

3rd March 1.82.160.27 Chinanet Shaanxi, China telecom #56 Gaoxin St Beijing 100032 5th March 183.197.52.166 China Mobile Communications 6th March 42.184.167.97 Chinanet Heilongjiang, Heilongjiang Telecom,#178 Zhongshan Rd Haerbin 150040 8th March 106.46.35.206 Chinanet Henan, Henan Telecom

I'd like to limit traffic data volume by any host to <500M, or <50M in 24hrs. It's all ftp.

Have access to Pldesk, but am unfamiliar with capabilities and clued out how to do much of anything save file transfer.

RL

If you can password-protect the pages, why not do that but include the password in the text so that any human can see it and copy it? i.e.

~~~~~~~~ To prove you are human you must type in the password, the password is ABC Password: ___

~~~~~~~~

I don't think there is an easy way of writing anything automatic in the HTML Body text but you might be able to add a script to the Head that checks the IP address and blocks the ones you don't want.

If you can write PHP, you could easily write your own version of Captcha or write a script that limits the number of repeat visits from the same IP address in a given time. Mixing PHP into HTML pages is easy but you have to change the file extension of each page from .htm to .php

Servers generally have facilities for PHP already built-in and the W3 Schools tutorials can get you started.

That looks like it's good for accessing an html page. So far the chinese are accessing the top level index, where files are offered for download at a click.

Ideally, if they can't access the top level, a direct address access to the files might be prevented?

The website's down after a fifth excursion pushed volumes above

85g on a 70G temporary extension. What's the bet it was 17G accumulated in 262 'visits'.

Can't ID that final hosts IP address while I'm locked out.

Luckily (~) for users, you can still access most of the usefull files, updated in January 2024, through the Wayback Machine.

*/ Probably the best place for it, in some people's opinion, anyways.

YOU can make stuff available to others, in the future, by 'suggesting' relevent site addresses to the Internet Archive, if they're not already being covered.

Once a 'captcha' or other security device is added, you can kiss Wayback updates goodbye, as most bots will get the message. I don't mind bots - thay can do good work.

Pity you can't just put stuff up in the public domain without this kind of bullshit.

RL

That doesn't work if humans are doing the work in human Captcha solving services:

"I Was a Human CAPTCHA Solver"

More of the same:

FTP makes it harder, you'll prably need to process the FTP logs and put in a firewall rule once an ip address has exceeded their quota. it may be possible to configure fail2ban to do this or you might have to write your own script.

You'll probably need a root shell to do this setup.

Blocking a single IP hasn't worked for my ISP.

Each identical 17G download block (262 visits)was by a new IP in a completely different location/region.

Beijing, Hearbin, Henan, a mobile and a fifth, so far untraced due to suspension of my site.

RL

You can still access most of the usefull files, updated in January 2024, through the Wayback Machine.

*/ Probably the best place for it, in some people's opinion, anyways.

RL

<snip>

Using barebones (Netscape) Seamonkey Compser, the Oodlestech script generates a web page with a 4-figure manually-entered human test.

How do I get a correct response to open the protected web page?

<snip>

The top (~index) web page of my site has lists of direct links to subdirectories, for double-click download by user.

It also has limks to other web pages that, in turn, offer links or downloads to on-site and off-site locations. A great number of off-site links are invalid, after ~10-20years of neglect. They'll probably stay that way until something or somebody convinces me that it's all not just a waste of time.

At present, I only maintain data links or electronic publications that need it. This may not be neccessary, as the files are generally small enough for the Wayback machine to have scooped up most of the databases and spreadsheets. They're also showing up in other places, with my blessing. Hell - Wayback even has tube curve pages from the 'Conductance Curve Design Manual' - they've got to be buried 4 folders deep - and each is a hefty image.

Somebody, please tell me the the 'Internet Archive' is NOT owned by Google?

Some off-site links for large image-bound mfr-logo-ident web pages (c/o geek@scorpiorising) seem already to have introduced a captcha-type routine. Wouldn't need many bot hits to bump that location into a data limit. Those pages take a long time simply to load.

Anyway - how to get the Oodlestech script to open the appropriate page, after vetting the user as being human?

RL

Doing some simple experiments by temporarily renaming/replacing some of the larger files being tageted, just to see how the bot reacts to the new environment. If they find renamed files it means something. If visits to get the same 17G alter it means something else.

This all at the expense and patience of my ISP. Thumbs up there.

RL

Why don't you block entire blocks of Chinese IP addresses that contain the ones that have attacked you until the problem ceases? eg. add a few banned IP destinations to your .htaccess file

1.80.*.* thru 1.95.*.* 101.16.*.* thru 101.16.*.* 101.144.*.* thru 101.159.*.*

If you block just a few big chunks it should make some difference. You might have to inflict a bit of collateral damage in the 101.* range.

Otherwise you are stuck with adding some Captcha type thing to prevent malicious bots hammering your site. I'm a bit surprised that your ISP doesn't offer or have site wide countermeasures for such DOS attacks.

IME, the hidden google re-captcha works brilliantly against bots. Presumably by examining the timing. Set the threshold to 0.6 and off you go. I run a fairly busy tech forum.

Another approach is to put your site behind Cloudflare. For hobby / noncommercial sites this is free. And you get handy stuff like

- https certificate is done for you

- you can block up to 5 countries (I blocked Russia China and India)

Ideally you should firewall your server to accept web traffic only from the set of CF IPs, but in practice this is not necessary unless somebody is out to get you (there are websites which carry IP history for a given domain, believe it or not!!!)

My ISP has finally blocked all China IP addresses from accessing the site.

Maybe that's what the bots want; who knows.

Haven't had access to the site to find out what the practical result is, yet.

RL

My ISP has blocked all China IP addresses from accessing the site.

Maybe that's what the bots want; who knows?

Haven't had access to the site to find out what the practical result was, yet, or what the final probing looked like. Whatever it was, it didn't result in another 17G block download, before the automated account suspension reasserted itself, which was the last case examined. (went 14G overlimit for full 17G load).

RL

That will work; the bots can get around it by using a VPN, but more or less all VPN services which will handle heavy data cost money. So VPNs are used for hacking but not for a DOS attack.

I'm afraid to find out. If it's google product . . . .

After the chinese IPs were blocked, there was not much more I could learn by fiddling about. My ISP had to reset the auto suspension and up the limit with each (failed) iteration. The current block is considered as dusting of the hands. Case closed.

The PDF version of complte CCDM is already out there in a couple of free doc sites. Chart images in that pdf might have sample envy.

The problem with mfr logo ident is the raw volume of tiny images. Don't recall if an epub version was made - I think, if anything, that attempt just made a bigger file . . . . Slow as it is - it's already split up alpha numerically into six sections . . . .

RL