My CPU spiking up

[WelshPaul]

You're wasting your time trying to block IP addresses. Those bots use thousands of different machines all with different ip ranges! You'd be better off blocking by country as a temporary measure!

[WelshPaul]

I enter the IP 159.138* and I keep getting an error message that No IP as been provided.
I tried 159.138.* and still the same error. Doesn't go through. the only way to work is to enter the entire IP.
But there are tons of them starting with that string, with agents looking like this:

Code: Select all

Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/42.0.2311.138 Mobile Safari/537.36 Mb2345Browser/9.0

that's weird

Ahhh Mb2345Browser bot! I was hit by that one last week!

https://www.johnlarge.co.uk/blocking-ag ... pers-bots/

[WelshPaul]

These are the one's doing the rounds at present:

• Mb2345Browser
• LieBaoFast
• MicroMessenger
• Kinza
• Mozilla/5.0(Linux;U;Android 5.1.1;zh-CN;OPPO A33 Build/LMY47V) AppleWebKit/537.36(KHTML,like Gecko) Version/4.0 Chrome/40.0.2214.89 UCBrowser/11.7.0.953 Mobile Safari/537.36

I was hit by 98,000 different IP's all coming from those user agents!

[KYPREO]

I enter the IP 159.138* and I keep getting an error message that No IP as been provided.
I tried 159.138.* and still the same error. Doesn't go through. the only way to work is to enter the entire IP.
But there are tons of them starting with that string, with agents looking like this:

Code: Select all

Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/42.0.2311.138 Mobile Safari/537.36 Mb2345Browser/9.0

that's weird

These are the same Chinese bots attacking everyone's boards at the moment.

There is a write-up here on blocking them based on use of unusual browsers: https://www.johnlarge.co.uk/blocking-ag ... pers-bots/ this won't get them all but it's a start. Ultimately, I think sticking your site behind Cloudflare is the best option to stop this as you can shut out bots or entire countries without impacting on your server by imposing IP or user agent blocks.

[WelshPaul]

I think sticking your site behind Cloudflare is the best option

EXACTLY!

Blocking via htaccess will still use up server resources. You need to block these bots from hitting your server to start with! Your host should have a firewall in place where you can can block these bots before they reach the server.

[Nick225]

Thank you guys for your input.
These bots are annoying.

[3Di]

I blocked in CPanel -> IP Blocker
those IPS (from China) as per the above links some week ago.

2019-11-12 00_17_48-cPanel - IP Blocker.png (11.5 KiB) Viewed 1821 times

Since then I haven't seen other issues.

Code: Select all

110.240.0.0/12 	110.240.0.0 	110.255.255.255 	
111.224.0.0/14 	111.224.0.0 	111.227.255.255 	
36.110.162.63 	36.110.162.63 	36.110.162.63

[Nick225]

Great.. I will update my Cpanel

[Nick225]

And the site is back to its normal load again.
Thank you guys... You support was simply generous. !!!!!

[nl2dav]

Ultimately, I think sticking your site behind Cloudflare is the best option to stop this as you can shut out bots or entire countries without impacting on your server by imposing IP or user agent blocks.

I don't like Cloudflare besides Apache has a mod_geoip module and if this is installed/activated then you can use this;

Code: Select all

GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat MemoryCache
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^(AF|PK|IN|TW|CN)$
RewriteRule ^.* - [F,L]

to easily say goodbye to countries. Note though; GeoIP/Maxmind stopped updating their old IP database format since the beginning of this year. Its now geoIP2 but not bothered yet to install this new version.

[P_I]

These are the one's doing the rounds at present:

• Mb2345Browser
• LieBaoFast
• MicroMessenger
• Kinza
• Mozilla/5.0(Linux;U;Android 5.1.1;zh-CN;OPPO A33 Build/LMY47V) AppleWebKit/537.36(KHTML,like Gecko) Version/4.0 Chrome/40.0.2214.89 UCBrowser/11.7.0.953 Mobile Safari/537.36

I was hit by 98,000 different IP's all coming from those user agents!

Would it make sense to add all of these to ACP->Spiders/Robots so that rather than multiple sessions for each, they'd be somewhat managed?

[david63]

Would it make sense to add all of these to ACP->Spiders/Robots so that rather than multiple sessions for each, they'd be somewhat managed?

It certainly would not do any harm but it will not stop the problem as they will still be accessing your board. These types of bots need stopping at server level (or before)

[WelshPaul]

Would it make sense to add all of these to ACP->Spiders/Robots so that rather than multiple sessions for each, they'd be somewhat managed?

I have an extensive list of bots in the ACP->Spiders/Robots section on my board, in this case though, no.

At one point I had over 4,000 guests online. Adding the bots I mention above to the ACP->Spiders/Robots would still result in 4,000+ page loads although in this instance the page loads would be telling the bot to go away. This results in server resources still being used (although nowhere near as much).

IMHO you need to treat these as you would if it were a DDOS attack and stop them from ever reaching the server to begin with.

[nl2dav]

Its now geoIP2 but not bothered yet to install this new version.

To react to myself... Don't need to be bothered to install new libs. Just convert new database format to the old one. Someone already is doing that;
https://www.miyuru.lk/geoiplegacy (with a Python script; https://github.com/sherpya/geolite2legacy ).. Excellent!

[P_I]

These types of bots need stopping at server level (or before)

IMHO you need to treat these as you would if it were a DDOS attack and stop them from ever reaching the server to begin with.

I've understood this from the beginning but for those of us on shared hosting plans our options are limited on how to stop them early.