[TAC] Bot Arrestor

[TAC] Bot Arrestor [Paid] 2.0.12

No permission to buy ($19.00)
Overview Updates (22) Reviews (1) History Discussion
kontrabass said:
It's a well known member, premium (paid) even. He's contacted us, so I'll let you know what he says. What I copied is the entire log entry (it's empty under recent visits).
Click to expand...

I've added another detection for sessions switchers (2.00.03), just to make it a bit more thorough that humans are never detected, but at this point I'm not sure I needed to... we'll find out i hope
 
Last edited:
tenants said:
Have a chat with this member. I would play it dumb and ask just if they did anything unusual with their browsers (I would be interested in their response).
Click to expand...

User says he has no idea how to use linux, never used it, etc. Says he uses Chrome on Windows 7 exclusively...
 
Bizarre, have a look at your access logs, it certainly looks the same IP has used FF10 Linux

If you have cpanel
go to Logs >> Raw Access logs

or

FTP Location
../logs
or
../access-logs

at 9:43 PM (not sure what day this was now)
65.8.151.82 ::
Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/10.0 (Chrome)

link to this user agent

It is a very unusual user agent string, note the (Chrome) on the end

FF on linux should be:
Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/10.0

Does he seem honest, if so I wonder whats going on

If the access logs also show this, then dedos wasn't wrong to pick it up (it also wasn't wrong to spit out the real user when js was detected). But what actually happened... ???

Google Dev tools/Google Plugins/User botting/error in server detecting the user agent/Botnet ... I'm not sure at this point, I was hoping the user might reveal something. But what happened was definitely a session switch (there were 3 sessions detected for this IP at the point of detection), and that is a strange user agent
 
If you want to catch scrapers even faster, you can add suspicious hosts to the secret ingredient 2

These are some hosts/vpns/tors/proxy servers/ cloud servers that I have on my list (which I have found to be top DeDos offenders):

.amazonaws.com, colocrossing, .contina.com, quadranet.com, .tor-, -tor., .tor., tor-exit, torproxy, tor.exit, torserver, tor.het, .geoca.st, colocall.net, tuthost.ua, azure., privacyfoundation, ip-pool.com, vpnsvc.com, nullbyte.me, heroku.com, .sevpn.com, .alexhost.md, .SteepHost.Net, host1dns.com, serverdale.net, globaltap.com, heilink.com, vultr.com, dataclub.biz, s51430.net, cloudatcost.com, masharikihost.com, scalabledns.com, novalayer.net, unmetered.com,

I've personally gone a little bit further and even added some ISPs that I've found to be top offenders from certain countries that I do not expect traffic from, do not block these if you have real traffic from Ukraine/Russia/China etc:

netbynet.ru, corbina.ru, cpx.ru, ertelecom.ru, elcom.ru, comcor-tv.ru, .mts.ru, a4321.ru, .sat-dv.ru, qwerty.ru, maxnet.ua, .com.ua, .net.ua, nephax.eu,poneytelecom.eu, triolan.net, .eonix.net, .mysipl.com, enjoy.ne.jp, .digicube.fr, .contina.com, .ztomy.com, .krypt.com, embarqhsd.net, chinamobile.com, fastwebserver.de, .cantv.net, gemwallet.biz, .net.il, .totbb.net, ziggo.nl, .163data.com.cn, .enn.lu, kyivstar.net, turkrdns.com, .chello.pl, tpnet.pl, 1113460302.com, .2015.com, .com.cn, .vdc.vn, .hinet.net, .ukrtel.net

Hosts, Tors, proxies are highly likely to be bots

ISPs are less likely (unless you do not expect traffic from this country)

By adding these to the list, the detection is more severe. Of course, if js is detected later, the user is still let back into the site if you do not tick the option to update htaccess.

If you have certain bots on your site that are targeting you specifically, it is likely you have a certain subset of bots. By going through your DeDos logs and clicking each row, you will often see the host name. This allows you to build up a suspicious host list that is relevant to your site under attack (obviously do not block ISPs that allow relevant traffic to your site, instead block hosts/tors proxies and only ISPs that you do not want traffic from)
 
Last edited:
kontrabass said:
User says he has no idea how to use linux, never used it, etc. Says he uses Chrome on Windows 7 exclusively...
Click to expand...

Just out of interest, did the user even notice the 401?

It should be designed to show a 401 if detected as a bot, but if detected as a real human this will only very quickly flash up then redirect them to the page they were looking at (so if a false pos was ever to occur .. which it shouldn't, humans shouldn't even notice)

However, if they were botting, they probably would notice.

There is now an extra check in place to be more thorough that humans are never detected as sessions switchers
 
Last edited:
So...stupid question, but when you say secret ingredient, then tell us not to reveal it, but then you post what it is here, isn't it revealed? Confused...
 
Secret ingredient 2 is no real secret, but secret ingredient 1 [removed]

I'm saving over 1.5 gig a month from killing off bots early, and my poor CPU now loves me again. I really don't want bots / other plugin developers / XenForo core to use this idea and publish it (it's not something bots developers are likely to guess, unless we wave a red flag at them).

I am almost talking about it, ugh

Anyway... no more public talk of secret ingredient 1 :)

Sigh.. you might be right, I'm chopping out how much I talk about Secret Ingredient 1
 
Last edited:
tenants said:
Just out of interest, did the user even notice the 401?

It should be designed to show a 401 if detected as a bot, but if detected as a real human this will only very quickly flash up then redirect them to the page they were looking at (so if a false pos was ever to occur .. which it shouldn't, humans shouldn't even notice)

However, if they were botting, they probably would notice.

There is now an extra check in place to be more thorough that humans are never detected as sessions switchers
Click to expand...

I don't think the user noticed a 401. I have confidence it's a legit user, he's a long time supporter and legit bassist. After upgrading to .03, user was again added to the cache with the same log entry. I'm asking him what Chrome extensions/addons he's using and will report back.

I have another legit user with the same issue now, same weird user agent. User remained locked out (there is no javascript detection log entry). This is from a few days ago, on Thursday:

Code: 
IP address added to cache: 99.4.126.56
Session User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/10.0 (Chrome)
Log Time: Thursday at 11:56 PM
User: User not logged in
JavaScript Detected: False
Has Cookie: True
Session ID: b07c8175fa0cfa739df219160fdfbfe2
gethostbyaddr(99.4.126.56) = 99-4-126-56.lightspeed.sntcca.sbcglobal.net
Friendly messages in this session: 0
gethostbyname(99-4-126-56.lightspeed.sntcca.sbcglobal.net) = 99.4.126.56
Proxy Header: No Proxy Found
Recent Visits at Log Time
[unix_timestamp](human_readable_time) => url_location

[1431665773](Thursday at 11:56 PM) => http://www.talkbass.com/threads/another-effects-chain-suggestion.1152456/
[1431665773](Thursday at 11:56 PM) => http://www.talkbass.com/threads/another-effects-chain-suggestion.1152456/

Extra Info
a:3:{s:32:"a87755bdb911a26607233efe9496467b";a:2:{s:1:"t";i:1431665755;s:1:"i";s:11:"99.4.126.56";}s:32:"b0d61a20a6f7747fa261fbcf405a2814";a:2:{s:1:"t";i:1431665759;s:1:"i";s:11:"99.4.126.56";}s:32:"b07c8175fa0cfa739df219160fdfbfe2";a:2:{s:1:"t";i:14316

And one last issue: I cannot seem to search the "locked out IP's" list. For example, when I search for the above user's IP (or any IP), this is all I get:
Screenshot at May 16 15-38-56.webp



:)
 
use the full ip address to search, i noticed the no match returns that blank result (I didn't look into it a the time)
 
Last edited:
hmmm, I wonder what that is. I would turn off the session switcher (its really only useful for small forums, when there is very little chance users are not going to share their ip address).

It's not very needed anymore (I think I will turn it of by default until we know what this is)

I still think it is something strange going on (not with DeDos but their browser / computer), it would be good to get to the bottom of this. Have you had a look at your server access logs yet?

I wonder if this is chrome doing something strange / chrome Emulation tools
Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/10.0 (Chrome)
 
Last edited:
I think I have found someone else that has seen the same issue, it sounds like elmah (used by chrome), and it sounds like it might be triggered by another underlying issue (I noticed a script error once on your site but it seems to have come from google ads, I don't know if something like that would trigger it), still it's pretty interesting chrome does this. I have a feeling this is a "default" (instead of sending null) setting for user_agent

http://stackoverflow.com/questions/28564441/elmah-reports-incorrect-user-agent-in-mvc
 
Last edited:
tenants updated DeDos - Anti DOS for spam bots/scrapers/tors with a new update entry:

minor fixes, changes to default option

I've fixed the admin search issue for the dedos cache

I have added a bit of code that removes session switches from the cache as soon as secret ingredient 1 is detected

I have set the default option for "Same IP Session Switcher" to false, since it wont be useful on bigger boards where a single IP could be used by many networked users.
Click to expand...

Read the rest of this update entry...
 
tenants updated DeDos - Anti DOS for spam bots/scrapers/tors with a new update entry:

High Priority Defect Fix and Cache Information

I've fixed a high priority defect: when the webserver did not have permission to back up htaccess and the option to update htaccess was ticked, an "open stream: Permission denied" error was thrown

is_writable is now verified, and the back up creation is within a try/catch

I have also added the amount of kB DeDos takes up in the cache (compared to other addons). I do this since DeDos relies strongly on the simple cache (to be able to block bots with 0 query overhead)
Click to expand...

Read the rest of this update entry...
 
got this while installing:

Code: 
XenForo_Exception: Invalid model 'Tac_DeDos_Model_DeDosCache' specified - library/XenForo/Model.php:192
Generated By: Unknown Account, 5 minutes ago
Stack Trace
#0 /admin/mysite/public_html/forums/library/Tac/DeDos/Listener.php(129): XenForo_Model::create('Tac_DeDos_Model...')
#1 [internal function]: Tac_DeDos_Listener::init_dependencies(Object(XenForo_Dependencies_Public), Array)
#2 /admin/mysite/public_html/forums/library/XenForo/CodeEvent.php(90): call_user_func_array(Array, Array)
#3 /admin/mysite/public_html/forums/library/XenForo/Dependencies/Abstract.php(215): XenForo_CodeEvent::fire('init_dependenci...', Array)
#4 /admin/mysite/public_html/forums/library/XenForo/FrontController.php(127): XenForo_Dependencies_Abstract->preLoadData()
#5 /admin/mysite/public_html/forums/index.php(13): XenForo_FrontController->run()
#6 {main}
Request State
array(3) {
  ["url"] => string(52) "http://portalcentric.net/forums/index.php?liveupdate"
  ["_GET"] => array(1) {
    ["liveupdate"] => string(0) ""
  }
  ["_POST"] => array(4) {
    ["_xfRequestUri"] => string(44) "/forums/threads/bo2-all-dlc-camo-fixes.5771/"
    ["_xfNoRedirect"] => string(1) "1"
    ["_xfToken"] => string(8) "********"
    ["_xfResponseType"] => string(4) "json"
  }
}
 
I have a member that is saying he got locked out, I cleared the locked out IPs for him to return later, open two threads in new tabs in Chrome and was locked out again. I have disabled this temporarily, any ideas on how I can prevent this happening?
 
ur rules might be to strict m8.. i suggest you overview the log of the Anti-DOS plugin and then tweak ur rules and timers...
 
Getting these errors with 1.5.0:

Code: 
Server Error Log
Error Info
Zend_Exception: No entry is registered for key 'session' - library/XenForo/Application.php:1008
Generated By: Unknown Account, 18 minutes ago
Stack Trace

#0 /var/www/html/library/Tac/DeDos/Model/Log.php(80): XenForo_Application::get('session')
#1 /var/www/html/library/Tac/DeDos/Model/Htacc.php(53): Tac_DeDos_Model_Log->logEvent(false, 5, 'dd_could_not_up...')
#2 /var/www/html/library/Tac/DeDos/Model/DeDosCache.php(66): Tac_DeDos_Model_Htacc->updateHtaccess(Array)
#3 /var/www/html/library/Tac/DeDos/Listener.php(130): Tac_DeDos_Model_DeDosCache->checkGlobalCacheForKnownDos()
#4 [internal function]: Tac_DeDos_Listener::init_dependencies(Object(XenForo_Dependencies_Public), Array)
#5 /var/www/html/library/XenForo/CodeEvent.php(90): call_user_func_array(Array, Array)
#6 /var/www/html/library/XenForo/Dependencies/Abstract.php(215): XenForo_CodeEvent::fire('init_dependenci...', Array)
#7 /var/www/html/library/XenForo/FrontController.php(127): XenForo_Dependencies_Abstract->preLoadData()
#8 /var/www/html/index.php(13): XenForo_FrontController->run()
#9 {main}

Request State

array(3) {
  ["url"] => string(85) "https://www.<REMOVED>/index.php?app=core&module=global&section=login&do=process"
  ["_GET"] => array(4) {
    ["app"] => string(4) "core"
    ["module"] => string(6) "global"
    ["section"] => string(5) "login"
    ["do"] => string(7) "process"
  }
  ["_POST"] => array(0) {
  }
}

Will there be an update for 1.5.0?

Thanks
 
You must log in or register to reply here.

Similar threads

Yugensoft
Add-on Offer: Sale of IP Rights of All Addons
Replies
10
Views
2K
ssj2_ssbm
ssj2_ssbm
tenants
Spambots attempting to register by facebook
Replies
1
Views
653
RandallC
RandallC
DRE
KnownHost Server Configuration?
8 9 10
Replies
183
Views
21K
craigiri
craigiri
Top Bottom