FYI Microsoft Attack this evening

How did you sort the MS IP addresses from other Guest addresses?
If you look at the thread, we've all been affected by the same IP ranges, all coming from Microsoft Data Centers, same User Agent and from countries where at least I don't usually have visitors or registered users.
 
You have to end it with " - do not delete" in the comment if you don't want it to expire.
Yes, I know.
"Note: If you add the text "do not delete" to the comments of an entry then DENY_IP_LIMIT will ignore those entries and not remove them."
For now I have no intention of making them permanent, just temporary.
If I notice that it continues later, it will be necessary to permanently ban them.
 
+1 to being hit by the Des Moines DC this week. So far not causing any issues, just more surprised that is has been going on all week from a Microsoft DC. Of the multiple sites on our server, only one of them is getting hammered so I'd be curious to see how we ended up on somebody's 'hit list' to target.

1673665573047.webp
 
I've created a new group within our server's firewall settings from the list in this thread and blocked access to all tcp ports from that group and that has done the job.
 
Some of the ranges used high number octets so to resolve this I used a wildcard mask....

eg:
IP address '13.67.222.111'
external network range added to the firewall '13.67.222.0 0.0.0.255' where 0.0.0.255 is the wild card mask

 
I missed 168.61.0.0/16 off which had snuck on last night... but 'guests' are right down now and it's notably snappier too. (y)
 
Is anyone else still having issues with this?
Yes, in the last week I also noticed this.

I had then quickly blocked the entire USA via mod_geoip. So of course also Microsoft Data Center in Iowa. That helped immediately. In the meantime, no more requests come from there, even without blocking.

But we had identical spam posts on four old inactive accounts in the last 48h. We have never had anything like this before!
A search of spam phrases with the search engine gave many hits in other forums that had not always removed the spam. All search hits are from the last few days.
I suspect this is related to the mass requests.

Anyone else with something like this?
 
I worked with AndyB last night to try to fathom a way of preventing this,

Basically using wildcards and octet ranges with IP addresses in the server's firewall doesn't have much impact other than initially as the IP addresses are so varied.

Using this add-on: https://www.xf2addons.com/resources/access-log.690/ we found that all the traffic from that data centre were using the following User Agent:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.1 Safari/605.1.15

Using that information I put a block on '605.1.15' using a script in .htaccess - that did it, stopped all traffic from that source.
However it also blocked some genuine users using the Chrome browser on iOS, so not advisable.
We've currently got around 1000 unwanted 'guests' onsite at the moment.
 
I’ve noticed I’ve got quite a few guests from amazonaws.com too. Could they be doing the same sort thing as Microsoft?

I’d really like to find out what they are doing? 🤔
Could Microsoft be using Des Moines to do mail (hotmail, outlook.com etc.) amongst other things?

I think by blocking Microsoft data center I also stopped email going to Microsoft’s email addresses! They have piled up waiting to send. 🫣
 
I don't see a reason to block those IP's. As far as I can tell, lots of ip's are sniffing but it is not slowing down anything. It's not like a ddos or something.
A nice side effect: my guest count of 2000+ now looks very impressive ;)
 
Could Microsoft be using Des Moines to do mail (hotmail, outlook.com etc.) amongst other things?

I think by blocking Microsoft data center I also stopped email going to Microsoft’s email addresses! They have piled up waiting to send. 🫣
37 pages of queued email now gone. I’ll just have to like it or leave it, won’t I! 😄

I don't see a reason to block those IP's. As far as I can tell, lots of ip's are sniffing but it is not slowing down anything. It's not like a ddos or something.
A nice side effect: my guest count of 2000+ now looks very impressive ;)
I’m the opposite. I detest ‘bots’, sniffers, IPs that don’t resolve to say so etc. in my ‘guest’ slot. I would rather they went in the ‘Robots’ slot… but hey ho! 😐
 
Possibly it has something to do with that ...

For me, the many requests had always resulted in error pages.
Possibly login pages, attempts to find out the weak password and sometimes with success?
I suspect this.
We also had spam posts from old inactive accounts.
 
We've managed to stop the inbound traffic using the .htacess file to block the user-agent they all seem to be using. Blocking IP addresses was futile due the number involved.
Surprisingly the user agent in all cases was iOS and the Safari browser. I would have thought if it was genuine Microsoft it would have been their products.

The issue with false traffic is it can have an impact on advertising revenues, especially Google.
 
If anyone would like to use the changes we have implemented, please find them below (provided as-is, with no liability given or accepted)

Add to your website's .htaccess file:

Code:
<IfModule mod_rewrite.c>
RewriteEngine On

    #   Deny and Allow bots by User-Agent
    SetEnvIfNoCase User-Agent "bot|crawler|fetcher|headlesschrome|inspect|spider|bingbot|15.1 Safari/605.1.15" bad_bot
    SetEnvIfNoCase User-Agent "duckduckgo|googlebot|yahoo" good_bot
    Deny from env=bad_bot
    Allow from env=good_bot
</IfModule>

The common link in the unwanted traffic's user agent is: 15.1 Safari/605.1.15

Add to the top of your robots.txt file:

Code:
User-agent: *
Disallow: /
User-agent: *
Crawl-Delay: 1

As previously posted, if you want to check the user agent of the unwanted traffic, this is the add-on we used: https://www.xf2addons.com/resources/access-log.690/
Within the options you can set the number of records you wish to see in the log.

I copied the log into an Excell spreadsheet and removed duplicate lines containing the same IP addresses, then sorted the sheet by IP address so it grouped together the IP addresses coming from the same locations, easily identifying those from the Microsoft data centre.
From that, using a conditional format I looked for all instances of '15.1 Safari/605.1.15' and highlighted them. This was to cross-check that no members or genuine guests were not using the same user agent as the traffic from the data centre - you don't want to inadvertently block them as well.
 
Top Bottom