Odd problem with many different IPs accessing the same thread

Wildcat Media

Wildcat Media

Well-known member
We've been noticing some slowdowns. While looking at our list of visitors online, I found something rather strange.

At least a dozen IP addresses are accessing the same thread. And it's nothing current--it's an older thread from 2021 that I had forgotten about. All of these accesses were in the same minute. All were from the US; only one was from South Africa...and that's odd since I have Cloudflare blocking South Africa.

I doubt I've been "slash-dotted" (anyone remember that?). What's odd is that these do not appear to be bots. Many of these appear to be "home" users. Some are VPNs, yet many are home/office ISPs.

47.149.191.236Frontier Communications Corporation
208.207.165.17OOC ISP LLC / VPN Server
73.189.125.178Comcast Cable Communications LLC
213.188.68.50Steel-Axis LLC / VPN server
208.207.217.213OOC ISP LLC / VPN server
216.194.89.251Steel-Axis LLC / VPN server
104.156.255.26Vultr Holdings LLC / Data Center/Transit
161.123.238.11Wirels Connect (Pty) Ltd / VPN server (S Africa??)
185.246.172.170Bright Data Limited / VPN server
208.194.195.186Hosted Backbone LLC / Data Center/Transit
66.42.84.250Vultr Holdings LLC / Data Center/Transit
5.183.242.173Altus Communications / VPN server
155.138.193.16Vultr Holdings LLC / Data Center/Transit
174.30.34.37CenturyLink Communications LLC
208.207.149.61OOC ISP LLC / VPN server
208.207.156.172OOC ISP LLC / VPN server

This is not the only thread affected. Similar IP addresses and companies have been doing this with other threads. They have a similar pattern.
  • They visit the same thread.
  • The visits appear to be all around the same time (within the same minute).
  • They are typically older threads.
  • Visitors appear to be ISPs or VPNs, most in the US or Canada.
I have no problem blocking VPNs, or at least issuing them a managed challenge. But some VPNs end up resolving to Amazon's cloud servers. I had some DigitalOcean servers accessing the site, so I threw them behind a managed challenge. (Irony of ironies...this site is hosted at DigitalOcean, so I can't trust my neighbors obviously.)

Has anyone seen this? We're getting some slowdowns on the server and I strongly suspect it's due to this type of traffic.

Is this something new we have to mitigate with Cloudflare now?

Just curious if others are seeing this. Whatever it is, they're not affected by any of my blocks or managed challenges. I highly doubt that these 16 IP addresses above were suddenly interested in the same 2021 thread...all within the same minute.

Added: A lot of similar types of visitors are trying to view member profiles. The links work, but we do not allow guests to view profiles, so they all result in error pages. There are enough failed profile views to make me wonder what exactly is trying to spider our site.
 
We've already seen this and it has to be a bot network of compromised devices. There's no way 20-30 random people clicked on some obscure thread that has no links posted elsewhere on the internet. We already block about 90% of known VPN services, so we see a lot of visits from normal ISP's spread across the globe, which I believe is indicative of the bot infections. The user-agents look almost normal, so it does appear to be a normal user. In any case, when a large group of hits come to one thread at the same time or within the same minute, I believe it's a bot system, for what purpose... I don't know.
 
ENF said:
We've already seen this and it has to be a bot network of compromised devices.
...
In any case, when a large group of hits come to one thread at the same time or within the same minute, I believe it's a bot system, for what purpose... I don't know.
Click to expand...

That's what I was thinking to myself. And that's one of the few things that explains this.

I know some of our users use VPNs, not many, but I know that I may have no choice but to start tracking these down and issuing managed challenges.
 
These are scrapers, using resident proxies. They probably grab content to train AI models. This has been excessively discussed in various threads over the last months, so possibly no benefit for yet another thread with the same topic, discussing everything back from the start again. Have a look at this thread, this is the most active one about the topic:

Levina

Thread 'Crazy amount of guests'

I have a small forum, usually a few hundred guests at most. The last days the number of guests have been unusually high, around 3000 and climbing. We now have over 4800 guests. That's not normal. Many "Viewing unknown page" or "Latest content", with a warning sign. IP addresses are from all corners of the world. Many from south America, Brazil mostly. Also saw quite a number from Vietnam of all places, but everywhere else too.

We're on Cloud and I don't know what to do. Could we be under attack? We have been in the past, a few times I think. For reasons I cannot possibly fathom; we're a...
  • Like
 
You must log in or register to reply here.
Back
Top Bottom