Massive bot activity overloading sql

Get help with installation and running phpBB 3.2.x here. Please do not post bug reports, feature requests, or extension related questions here.
Post Reply
buksida
Registered User
Posts: 336
Joined: Thu Feb 04, 2010 9:11 am

Massive bot activity overloading sql

Post by buksida »

Mods - please move it if this is in the wrong place.

Our forum is under attack by bots. So much so that we're getting the max_users_connections error all the time. There are up to 2,000 'guests' online which is way beyond our normal traffic levels.

Our anti spam is google recaptcha but they're breaking through this easily, would the Q&A be better if frequently changed?

The posting can be stopped but the sheer volume of them is akin to a bot ddos attack.

Can anything be done? Thanks in advance.
User avatar
Kailey
Community Team Leader
Community Team Leader
Posts: 3732
Joined: Mon Sep 01, 2014 1:00 am
Location: sudo rm -rf /
Name: Kailey Snay
Contact:

Re: Massive bot activity overloading sql

Post by Kailey »

If it's a DDOS attack, recaptcha isn't going to do anything for you. Maybe ask your host if they can stop the traffic.
Kailey Snay - Community Team Leader
Knowledge Base | Documentation | Community rules

If you have any questions about the rules/customs of this website, feel free to send me a PM.
buksida
Registered User
Posts: 336
Joined: Thu Feb 04, 2010 9:11 am

Re: Massive bot activity overloading sql

Post by buksida »

Its not a specific attack - just a massive amount of spam bots overloading the site.
buksida
Registered User
Posts: 336
Joined: Thu Feb 04, 2010 9:11 am

Re: Massive bot activity overloading sql

Post by buksida »

I've contacted the host and increased max_user_connections, yet still thousands of 'guests' are hitting the phpBB board.

Is there anyway to stop the bots?
User avatar
canonknipser
Registered User
Posts: 2096
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: Massive bot activity overloading sql

Post by canonknipser »

It happens because a lot of search engines follow Google's "mobile first" strategy and index web sites imitating smartphone access. So a single spider is crawling your site with dozens of different user agent strings at the same time - on string for every smartphone model. You can identify those search engine spiders by checking out the IP addresses (they are identical in the first two bytes of the IPV4-Address ) and add them to you bot list in the acp
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB
buksida
Registered User
Posts: 336
Joined: Thu Feb 04, 2010 9:11 am

Re: Massive bot activity overloading sql

Post by buksida »

Thanks for that, will give it a go.
User avatar
david63
Registered User
Posts: 20646
Joined: Thu Dec 19, 2002 8:08 am

Re: Massive bot activity overloading sql

Post by david63 »

canonknipser wrote: Thu Nov 08, 2018 6:48 am add them to you bot list in the acp
Unfortunately that will not stop server access as the server has to be checked for those IP addresses.

Only last week I had the same thing happen on my site and the bots were from China (or at least that was what was being shown on an IP lookup).

The only way I could prevent an excessive server load was to activate the firewall in my control panel and block them at that level. If your hosting account does not have a firewall option then you could try and persuade your hosts to add the IPs to their firewall.
David
Remember: You only know what you know and - you don't know what you don't know!

I now no longer support any of my extensions but they will start to become available here
User avatar
canonknipser
Registered User
Posts: 2096
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: Massive bot activity overloading sql

Post by canonknipser »

david63 wrote: Thu Nov 08, 2018 7:00 am Unfortunately that will not stop server access as the server has to be checked for those IP addresses.
Right, but the number of parallel opened guest connections to the database will decrease.
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB
buksida
Registered User
Posts: 336
Joined: Thu Feb 04, 2010 9:11 am

Re: Massive bot activity overloading sql

Post by buksida »

Ok - the ACP bot list wont let me add partial IP addresses, one of the offenders seems to be;
Guest
Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.8483.87 Mobile Safari/537.36
IP range 220.243.* plus many other IP addresses, hundreds of them in fact.

I tried adding this to the htaccess file as:

Code: Select all

order allow,deny
deny from 220.243.
allow from all
Also added to IP ban list in ACP, and cPHulk on WHM, but they are still coming and haven't been blocked - any ideas?
User avatar
david63
Registered User
Posts: 20646
Joined: Thu Dec 19, 2002 8:08 am

Re: Massive bot activity overloading sql

Post by david63 »

I don't think that you need the dot after deny from 220.243 or you could use deny from 220.243.0.0/16

Incidentally that was the same range that was attacking my site last week!
David
Remember: You only know what you know and - you don't know what you don't know!

I now no longer support any of my extensions but they will start to become available here
joeyb+1
Registered User
Posts: 32
Joined: Wed Apr 30, 2008 3:12 am
Location: AU

Re: Massive bot activity overloading sql

Post by joeyb+1 »

This is all well and good, but when there is no access to the site due to max_active_connections being exceeded then you're unable to login to the acp.
User avatar
canonknipser
Registered User
Posts: 2096
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: Massive bot activity overloading sql

Post by canonknipser »

In ACP, this setting works for me:
Screenshot_20181109_0800000.png
(note the trailing dot)
It doesn't work immediate, the guest sessions with that addresses are often still active. You can try to clear the sessions table from the acp main page, but be aware that everybody (including yourself) is logged out then. Or just wait a couple of hours.

There were a lot of other IP ranges, some examples:
  • 52.80
  • 52.81
  • 52.82
  • 52.83
  • 139.217
  • 139.219
  • 220.243
Catching some more one a daily base ;)
joeyb+1 wrote: Fri Nov 09, 2018 7:06 am ... when there is no access to the site due to max_active_connections being exceeded then you're unable to login to the acp.
If you block them on server level (eg. via .htaccess) then there should be no extra connections
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB
buksida
Registered User
Posts: 336
Joined: Thu Feb 04, 2010 9:11 am

Re: Massive bot activity overloading sql

Post by buksida »

canonknipser wrote: Fri Nov 09, 2018 7:09 am In ACP, this setting works for me:
Does that ban them as bots or allow them? I've been trying to ban the IP addresses in the 'banning' section for spammers but I don't think that works as they're not registered using those IPs, they're just guests.
User avatar
david63
Registered User
Posts: 20646
Joined: Thu Dec 19, 2002 8:08 am

Re: Massive bot activity overloading sql

Post by david63 »

buksida wrote: Mon Nov 12, 2018 3:12 am don't think that works as they're not registered using those IPs, they're just guests.
Guests have IP addresses as well so yes it will block them. The problem with banning then via phpBB is that they are still accessing your board and utilising your database server which, with this particular bot, is quite a load.

You really need to block them before the server either in .htaccess of by using a firewall.
David
Remember: You only know what you know and - you don't know what you don't know!

I now no longer support any of my extensions but they will start to become available here
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5871
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Massive bot activity overloading sql

Post by thecoalman »

buksida wrote: Thu Nov 08, 2018 3:58 am Is there anyway to stop the bots?
This is not something that can be handled within phpBB with any degree of success. You need to prevent them form loading the script, using phpBB's IP bans may help some but it will still be making connections to the database. Even the htaccess rules are not the best route but better than using phpBB. The best thing you can do server side is firewall them off but that only works with the right rules and/or known IP's. That also assumes you have access to the firewall, if this is shared hosting account you would have to contact your host and hope they can help.

If none of that works or is not possible your next best bet may be a service like Cloudflare. Cloudflare is proxy server and provides a firewall and other features that will help prevent the bot traffic. Firewalling them off there will prevent ALL traffic from every reaching the server. For Cloudlfare to work properly with phpBb you need the Apache module mod_cloudflare installed or there is an extension for it here in the extension database.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
Post Reply

Return to “[3.2.x] Support Forum”