• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

How do I stop these attacks?

Diana

Active member
#1
My site has been under attack for the past two days and now my host has locked my account and wants me to upgrade the bandwidth before he opens it again. My site hasn't launched yet, it isn't open to registration, so there is no reason for me to pay more for bandwidth. I'm trying to get him to give me access to the cpanel so that I can try to fix this. Problem is, I haven't a clue about how to fix it.

Any suggestions?
 

Tracy Perry

Well-known member
#3
Question them on what kind of "attack" it is.
I have to agree with @whynot, it's "fishy" sounding. I could see if it was a public site that a kiddy competitor had a grudge against.
It may be that a previous site on that IP (if you have a static and not shared IP) had someone attacking it. If so, it's the host responsibility to place you on another IP and mitigate that attack themselves.
 

Diana

Active member
#4
I thought it was fishy too. I cleared everything out yesterday, deleted my test forum where most of the attacks were, the main forum was fine all day and into the night. Woke up this morning and the forum and cpanel were locked for "exceeding bandwidth limit." When I asked if they could at least open the cpanel so that I can try to fix the problem all I got was a curt reply saying they've upgraded the bandwidth limit and the billing department will get in touch with me. This is after being with them for 15 years.
 
Last edited:

ManagerJosh

Well-known member
#5
My site has been under attack for the past two days and now my host has locked my account and wants me to upgrade the bandwidth before he opens it again. My site hasn't launched yet, it isn't open to registration, so there is no reason for me to pay more for bandwidth. I'm trying to get him to give me access to the cpanel so that I can try to fix this. Problem is, I haven't a clue about how to fix it.

Any suggestions?
Any chance could we get more details on the type of attack?
 

whynot

Well-known member
#6
Woke up this morning and the forum and cpanel were locked for "exceeding bandwidth limit." When I asked if they could at least open the cpanel so that I can try to fix the problem all I got was a curt reply saying they've upgraded the bandwidth limit and the billing department will get in touch with me. This is after being with them for 15 years.
Hopefully you don't have to pay for the new limit a year or two in advance.
As soon as you can access cPanel move to another host.
 

Diana

Active member
#7
Any chance could we get more details on the type of attack?
I don't know, never having had this problem before. There were about 100 new registrations the first day (within the same hour) from places like Indonesia. I deleted all of their accounts and instead of bothering to delete the spam on the test forum, I deleted the test forum from the database. I closed registration on the main forum and all was well until I found the host shut the site down the next day. So I don't even know if it happened again, or if they're just trying to use this to force me to upgrade.
 

Set3sh

Active member
#9
Hello,

From what you describing in order to stop this type of attack (spam bots) please enable human verification during registration.

Kind regards,
George.
 

WSWD

Well-known member
#13
Sooooooo......who do you think should pay for the bandwidth for the attacks? Do you think your host should just eat that cost? They don't get free bandwidth from the datacenter.

If suspending your account was the only thing that stopped the attacks, it can almost be presumed that the attacks will start again when your site is unsuspended. Your host (rightfully so) does not want to pay for that additional bandwidth.

They should be able to show you bandwidth graphs or such, so you can see that what they are saying is legitimate. But assuming it is, I don't know how you could possibly feel you are in the right here.
 
#14
about a month ago the spammers from .IN started hitting us pretty hard. None of the automatic methods were stopping them.

installed TPU spam detection and like magic its stopping all of them. We get zero traffic from india and our users do not use email like yandex or rediffmail so its pretty easy to block. here is a sample of a blocked account signup.

Unknown Account - TPUDetectSpamReg checking: Serg Ioritz, sergioritz@rediffmail.com, 182.64.169.3,
AS detected: ASN24560, AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services, IN,
+3. SFS hit: ip,
+10. Email matched: *@rediffmail.com,
Hostname detected: abts-north-dynamic-003.169.64.182.airtelbroadband.in,
Country detected: IN,
+10. Country matched: IN,
Total score: +23,
Rejected. Score exceeded (+23 >= 6)
 
Last edited:

Tracy Perry

Well-known member
#15
If this attack is just users registering even spam it's not really an attack...
Agree... and if it's causing issues with human spammers posting, you have to wonder what will happen when "real" users start using it. Sounds almost like one of those bottom tier "all you can eat" EIG type hosts but then they wouldn't have "exceeded bandwidth".
And no, this is not an "attack" per-se, but normal business of a site. An attack is something like a WordPress Ping back DDOS attack or similar.

They should be able to show you bandwidth graphs or such, so you can see that what they are saying is legitimate. But assuming it is, I don't know how you could possibly feel you are in the right here.
If it was a "true" DDOS attack and the site was never public to begin with (and a new site) I could see a valid stance to have an issue as there is the possibility that another site on that IP before had been a victim of attack and they re-issued the IP to someone else who was now the victim of the attack - but this doesn't seem to be the case here. But further information reveals that this is more a site admin type issue (inability to secure site from an influx of spammers). Not knowing what the plan limits are I won't comment on the fact that traffic (valid human traffic, even if it is spammers) seems to put them over limit. That's where I would have my questions - and the apparent answer would be that their current plan won't support much human traffic.

TPU Spam add-on will work wonders @Diana. I encourage the installation and use of it.
 

Diana

Active member
#16
Sooooooo......who do you think should pay for the bandwidth for the attacks? Do you think your host should just eat that cost? They don't get free bandwidth from the datacenter.

If suspending your account was the only thing that stopped the attacks, it can almost be presumed that the attacks will start again when your site is unsuspended. Your host (rightfully so) does not want to pay for that additional bandwidth.

They should be able to show you bandwidth graphs or such, so you can see that what they are saying is legitimate. But assuming it is, I don't know how you could possibly feel you are in the right here.
I don't mind paying for the days the bandwidth went over the limit. I just don't want to be forced to sign up for a permanent upgrade and not be able to access the site to have a chance to fix the problem, because the problem will persist with higher bandwidth if I don't fix it.
 

Diana

Active member
#20
The host wrote "the URL http://theglobalsoup.com/test/ is being flooded with requests from different IPs. Let us know if we can go ahead and block the IPs."

I just don't understand.

The first day this happened the main forum seemed reasonably secure, there were only a few spammers registered and some threads I could delete by hand. The main problem was (and still is) on the test forum. It's flooded. I subsequently deleted the test forum database and asked the host to replace it with a copy of the main forum so that I could see if an upgrade to xenforo to 1.5.11 might help (obviously it didn't). He also said he had blocked the IPs, so I don't see how it would help to do that again. After I did the upgrade and it seems secure for about 12 hours I closed both the test and the main forum to new registration overnight just to be safe. The next morning the site was shut down again for exceeding the limit.

So now what do I do? Have the host block the IPs, open the site up again, and install the TPU Spam add-on?
 
Last edited: