What is going on? Is this some kind of widespread attack?

[siân]

My forum has been experiencing something dreadful since this morning. I've noticed an alarming and rapid increase in the 'currently online' user count, which has now culminated in the forum completely ceasing to function.

Of course, this is a fictitious number. There are no visitors in Google Console or Google Analytics.

Could anyone offer some effective advice, please?

I'm overwhelmed.

Code: Select all

In total there are 3934 users online :: 1 registered, 0 hidden and 3933 guests (based on users active over the past 5 minutes)
Most users ever online was 4369 on Fri May 02, 2025 11:29 am

[KevC]

Lots of topics on this just recently
viewtopic.php?p=16063945#p16063945

[SQLnovice]

It only took one bad actor finding your site. Now look at the mess they've created.

This would be a good time to turn off posting for Guests too. Users who want to post shouldn't have an issue with creating an account. From what we've seen, it's actually the other way around. They don't have problem creating the account, but they definitely find typing too much of a challenge. Or they're illiterate.

[invenio]

I am getting this as well. Unfortunately, the bots are not identifying themselves as being from Alibaba, but if I click on the "whois" in the guest menu, then it does come up as alibaba.

The standard bot blocking method via the .htaccess file doesn't work in this case because the bots are not identify themselves as such. Is there are alternative method for blocking specifically the alibaba bots?


EDIT: So looks like I was able to get rid of them by blocking two IP ranges. Specifically 47.82.*.* and 47.79.*.*
The guest users online count dropped by 95% after implementation.

[Prosk8er]

see ssl post here viewtopic.php?t=2662504 i blocked the ips cidr in htaccess for all those and the ones that didnt list there cidr i used a generator to get it

[siân]

This would be a good time to turn off posting for Guests too.

These are bots; this has nothing to do with guest posting. It's a widespread issue, impacting everyone – a general and comprehensive attack.

I'm unsure why you're telling me this, especially since you're aware that everyone has experienced the same thing!

[CPTOM]

Same here. I did a free Cloudflare account and turned on all the bot-fighters, including attack mode, and the next day my users online went from over 2,000 to a more realistic sub-100 number. The forum sped up a lot too! When the number creeps back up, I turn on attack mode overnight, and that keeps the number down another few days. I turned off all caching on Cloudflare, though at some point might give it a try. For a free service, Cloudflare has been a Godsend...

[mattash]

I have been fighting this all day. My site has not been up in two days because of it. I'm still trying to figure it out

[mattash]

had 90K hits in an hour.. This is frustrating

I have AWS and ive tried everything

[invenio]

had 90K hits in an hour.. This is frustrating

I have AWS and ive tried everything

Did you try blocking those two ip ranges as I recommended above? That's all it took for me.

[mattash]

i wouldn’t i block those IP ranges?

[invenio]

i wouldn’t i block those IP ranges?

I'm sorry, I'm not sure I understand your question.

Just to reiterate, after I blocked those two IP ranges the Alibaba bots were not able to reach my site.

[CPTOM]

I'm sure every site has its own bots, but at first I contacted my hosting provider for help. They looked at the traffic and identified the top offenders via IP and blocked those IPs via .htaccess. That helped for a few hours maybe but by the end of the day I had even more bots, and the IP addresses were spread out from multiple countries (with Vietnam and Singapore being surprising high). Seems like the bots -- or at least the ones interested in my forum -- find ways around .htaccess blocks in pretty short order. My hosting provider pushed me to Cloudflare for that reason.

[HB]

Cloudflare lists the blocked accesses in WAF > Events. These AI bots are out of control. It's not hard to imagine a shared server falling over just from AI bot traffic.

see ssl post here viewtopic.php?t=2662504 i blocked the ips cidr in htaccess for all those and the ones that didnt list there cidr i used a generator to get it

Thanks! With Cloudflare, you can also block the matching ASN(s) under the free plan, e.g., Alibaba's (45102, 24429, 37963, 134963, 45104).

[mattash]

i wouldn’t i block those IP ranges?

I'm sorry, I'm not sure I understand your question.

Just to reiterate, after I blocked those two IP ranges the Alibaba bots were not able to reach my site.

geez auto correct. i meant to ask how i would block those ranges. looking for the process