My CPU spiking up

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Anti-Spam Guide
User avatar
JLA
Registered User
Posts: 523
Joined: Tue Nov 16, 2004 5:23 pm
Location: USA
Name: JLA FORUMS
Contact:

Re: My CPU spiking up

Post by JLA »

KYPREO wrote:
Mon Feb 10, 2020 1:46 am
For those that sought to address this issue by blocking Chinese IP addresses, be aware that bad bots with the same User-Agent strings are now attacking sites through IP addresses in Hong Kong and Singapore.

I have blocked requests at the server level by checking User-Agent strings and that has continued to be effective. However, to prevent these bots reaching my server at all, I have also added a new ASN-based firewall rule in Cloudflare to block all access for users with AS136907 (Huawei Cloud). All the HK and Singapore addresses fall within this ASN range.
We’ve recently seen the same activity too.

KYPREO
Registered User
Posts: 312
Joined: Fri Feb 02, 2018 9:56 am
Contact:

Re: My CPU spiking up

Post by KYPREO »

JLA wrote:
Mon Feb 10, 2020 3:46 am
We’ve recently seen the same activity too.
Well the firewall rule was extremely effective. It blocked 2,000 requests made in a 5 minute period. The bots came back and tried a few hundred times, failed again, then haven't back (yet). Although my web server rule was effective in preventing access to the forum, having to issue 2,000 blocked HTTP requests every 5 minutes is still a lot of load on the server. I will add an additional user-agent block in Cloudflare as well.
phpBB user since 2002
www.AusRotary.com

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3493
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: My CPU spiking up

Post by thecoalman »

KYPREO wrote:
Mon Feb 10, 2020 1:46 am
For those that sought to address this issue by blocking Chinese IP addresses, be aware that bad bots with the same User-Agent strings are now attacking sites through IP addresses in Hong Kong and Singapore.
If you are using CL these need to be blocked separately.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison

KYPREO
Registered User
Posts: 312
Joined: Fri Feb 02, 2018 9:56 am
Contact:

Re: My CPU spiking up

Post by KYPREO »

These bots sure are persistent and aggressive. Contrary to my earlier post, they are still hitting the firewall en masse - but launch a new wave every 4 hours or so - almost like clockwork. A graph shows the peaks occurring at regular intervals so it's clearly part of the bots programming to ignore blocking requests and come back again after a designated period of time. This illustrates the value of Cloudflare. Unless you pay for a hardware firewall or gateway server, there's no way you're preventing this kind of traffic from hitting the phpBB server.
thecoalman wrote:
Mon Feb 10, 2020 9:55 am
KYPREO wrote:
Mon Feb 10, 2020 1:46 am
For those that sought to address this issue by blocking Chinese IP addresses, be aware that bad bots with the same User-Agent strings are now attacking sites through IP addresses in Hong Kong and Singapore.
If you are using CL these need to be blocked separately.
I'm not sure what you mean? I have separate rules on both server and Cloudflare to block bots. I was mainly informing users to stay on top of this issue as the bots have moved to Huawei Cloud controlled IPs in HK and SG. One ASN rule can cover both countries as all the infringing IP addresses are in the same ASN block.
phpBB user since 2002
www.AusRotary.com

User avatar
JLA
Registered User
Posts: 523
Joined: Tue Nov 16, 2004 5:23 pm
Location: USA
Name: JLA FORUMS
Contact:

Re: My CPU spiking up

Post by JLA »

Anybody have any guesses what the purpose of these bots are to begin with?

KYPREO
Registered User
Posts: 312
Joined: Fri Feb 02, 2018 9:56 am
Contact:

Re: My CPU spiking up

Post by KYPREO »

JLA wrote:
Tue Feb 11, 2020 1:30 am
Anybody have any guesses what the purpose of these bots are to begin with?
They seem to be data scraping. Looking through my logs, there was nothing particularly malicious in the URIs they are hitting (no SQL injection attempts or repeated hits on admin areas). They are doing what normally crawler/search engine bots do, but they completely ignore robots.txt and are programmed to be extremely aggressive. Good bots throttle the rate at which they crawl a website and are responsive to what the server is telling them - if they get 403 or 404 errors or things start slowing down, they'll back off or come back later. These Chinese bots just hit hard and fast and do not care what effect it has on the server.
phpBB user since 2002
www.AusRotary.com

User avatar
JLA
Registered User
Posts: 523
Joined: Tue Nov 16, 2004 5:23 pm
Location: USA
Name: JLA FORUMS
Contact:

Re: My CPU spiking up

Post by JLA »

KYPREO wrote:
Tue Feb 11, 2020 1:51 am
JLA wrote:
Tue Feb 11, 2020 1:30 am
Anybody have any guesses what the purpose of these bots are to begin with?
They seem to be data scraping. Looking through my logs, there was nothing particularly malicious in the URIs they are hitting (no SQL injection attempts or repeated hits on admin areas). They are doing what normally crawler/search engine bots do, but they completely ignore robots.txt and are programmed to be extremely aggressive. Good bots throttle the rate at which they crawl a website and are responsive to what the server is telling them - if they get 403 or 404 errors or things start slowing down, they'll back off or come back later. These Chinese bots just hit hard and fast and do not care what effect it has on the server.
Scraping for who or what

Based off of other past behaviors we’ve seen in the past wonder if they are associated with baidu??

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3493
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: My CPU spiking up

Post by thecoalman »

KYPREO wrote:
Tue Feb 11, 2020 12:31 am
I'm not sure what you mean?
If you are blocking by country Singapore and Hong Kong are listed as countries on CF.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison

KYPREO
Registered User
Posts: 312
Joined: Fri Feb 02, 2018 9:56 am
Contact:

Re: My CPU spiking up

Post by KYPREO »

thecoalman wrote:
Tue Feb 11, 2020 1:15 pm
KYPREO wrote:
Tue Feb 11, 2020 12:31 am
I'm not sure what you mean?
If you are blocking by country Singapore and Hong Kong are listed as countries on CF.
True. But I don't want to block the whole of the countries as there is a chance of some legitimate traffic. I use a JS Challenge for countries other the key countries where my userbase is located, but only if the user has a threat score over 1. Then I have a separate rule for completely blocking bad bots based on user agent matching and ASNs known to be used for malicious activities such as Huawei Mobile Cloud (AS136907). I'm still blocking 10,000 requests a day from that ASN. For those on Cloudflare, this is the firewall rule that is working well at the moment:

Code: Select all

(ip.geoip.asnum eq 136907) or (http.user_agent eq "Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/43.0.2357.121 Mobile Safari/537.36 LieBaoFast/4.51.3") or (http.user_agent eq "Mozilla/5.0(Linux;U;Android 5.1.1;zh-CN;OPPO A33 Build/LMY47V) AppleWebKit/537.36(KHTML,like Gecko) Version/4.0 Chrome/40.0.2214.89 UCBrowser/11.7.0.953 Mobile Safari/537.36") or (http.user_agent eq "Mozilla/5.0 (Linux; Android 7.0; FRD-AL00 Build/HUAWEIFRD-AL00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.49 Mobile MQQBrowser/6.2 TBS/043602 Safari/537.36 MicroMessenger/6.5.16.1120 NetType/WIFI Language/zh_CN") or (http.user_agent eq "Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/42.0.2311.138 Mobile Safari/537.36 Mb2345Browser/9.0")
Then the Action is BLOCK.
phpBB user since 2002
www.AusRotary.com

User avatar
M.O.B.
Registered User
Posts: 934
Joined: Tue Jan 04, 2005 1:07 am
Location: San Diego CA USA
Contact:

Re: My CPU spiking up

Post by M.O.B. »

Yes, it seems that ASN went rogue or something starting on Oct. 2019. Some of my sites also got hit early on, and I quickly put them in check (for now) using CloudFlare's Firewall.

See the Spam statistics report here: https://cleantalk.org/blacklists/as136907

I really appreciate the info provided in this thread, especially the firewall rules for CloudFlare.

For a moment there, I thought I was getting DDOS'ed -- asking myself, how did I piss off the Chinese? Thinking it may have been the known Chinese Censorship DDOS attack being done to sites they dislike.
Image

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3493
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: My CPU spiking up

Post by thecoalman »

M.O.B. wrote:
Fri Feb 21, 2020 6:07 am
For a moment there, I thought I was getting DDOS'ed -- asking myself, how did I piss off the Chinese? Thinking it may have been the known Chinese Censorship DDOS attack being done to sites they dislike.
If you get hit with DDOS the countries of origin can be anywhere. The person who controls the bot net attacking your site in most cases is just a gun for hire, they rent it out for a fee complete with control panel in some cases. It's operated like a business so Joe Schmoe without the knowledge or resources only needs cash to attack your site.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison

Post Reply

Return to “phpBB Discussion”