March 08, 2004

Curious George: Stopping site abuse? I know that MoFi imposed some sort of waiting period to deal with this problem, but any other tried and true methods of stopping script kiddies (et cetera)?

Last week my site came under the attack of vandals who posted literally hundreds of comments and created over 30 log-ins, and all around just vandalized the site (a few of the thinner-skinned long time users picked up and left in the aftermath). Like clockwork, they've been back every weekday. They keep switching IPs (proxy-hopping?), and if I manage to successfuly block them on a given day they send me a harassing e-mail instead. Today, they sent me an e-mail proclaiming, "the final assault is about to begin" and cryptically saying "We have restrained from using Brute Force and ReBRAC hacking Programs and we have found that regular old spam Works fairly well. You should not punish those other students Who use the port:3128 it is not nice" So yeah, it's a big headache. Is there good a way to stop them, or am I just going to have to disable anonymous posting and figure out how to implement e-mail verification on all new sign-ups? (As an aside, the one time their IP didn't resolve to some obscure proxy in Brazil or so forth, it traced back to a school district in Nevada. The attackers told me in an e-mail, "My friend and I are library assistants at our school for 3rd block" to which they signed (fake?) names. I shot of a couple e-mails to info@[schooldistrict].k12.us, but to no avail.)

  • These kids are obviously posting from a high school. If they're posting "like clockwork" it's because they have some time during their schoolday to do this. Simple solution: "blocks" in block scheduling are 90 minutes long. Stop posting access for anonymous people during that 90 minutes every day. It's a little extra work, sure, but...You'll frustrate them to no end.
  • I would definitely advise disabling anonymous posting, unless you really like deleting spam and the like. If you set up a waiting period, as MoFi has, then you wouldn't necessarily need to have email verification, because at this rate it's not going to be too difficult to keep up with account deletion. That may change if they set up a schedule of adding a new account every few minutes or so, at which time I would add email verification. I don't know about the specific programs they mentioned, but you can try to make sure your site is as secure as possible with proper patches installed, ports closed, and being careful with you code. It won't stop a DDoS attack, but it should handle most script-kiddie attacks. I would certainly keep the emails, but I wouldn't necessarily trust them for any sorts of information. An in-depth look at the headers and subsequent investigative work might help, but chances are they're just emailing from whatever machines they've managed to compromise so far, likely (and this is pure speculation) in an attempt to collect as many servers as possible in a Pokemon style, "gotta get 'em all" bit of afternoon fun. So if you make your system harder to abuse, I would expect some sort of short-term retaliation, followed by a period of freedom from annoyance punctuated with random and sporadic attempts to see if you've let your guard down, or if new scripts will work on your system. Prolonged attacks at a system without reward is possible, but terribly unlikely when there are many open systems out there. As I said, most of the last half of my comment is speculation based on limited data, but that's what I'd do if it were my system.
  • these nice young people, why do they hate you so?
  • Whatever you decide to do, don't let it stop you from keeping up the good work here. /buttkissing
  • I don't run a blog, but I do run a very large site that uses phpBB and has about 270 users. Awhile back we dealt effectively with a site nuke problem simply by reverting to manual logins and having lots of moderators. Since then we've opened it up, and our moderator presence seems to be enough of a deterrence. You're right... IP bans are useless -- there are obviously a lot more free proxies out there than I ever imagined.
  • "blocks" in block scheduling are 90 minutes long. Stop posting access for anonymous people during that 90 minutes every day. This is actually a good idea and then I was considering implementing it after getting your suggestions, but there have been mini-waves of attacks before 8am and after 2:30pm as well -- they're managing to get to the library to spam the site before and after school as well! Curiously enough, they've never seemed to access from their homes... I would definitely advise disabling anonymous posting, unless you really like deleting spam and the like. I really would hate to do this. It's a poetry workshop site, and I think that anonymous posting is one of its hallmarks. Thanks for your other advice too, Sandspider. Well taken. these nice young people, why do they hate you so? No idea! Sometimes I've had disgruntled users spam the site, but this is definitely the worst attack yet and I can't find any evidence that the attackers had ever visited before they decided to run things to hell. Whatever you decide to do, don't let it stop you from keeping up the good work here. /buttkissing You must have me confused with tracicle. our moderator presence seems to be enough of a deterrence. You're right... IP bans are useless -- there are obviously a lot more free proxies out there than I ever imagined. You said it. I've been meaning to program a moderator interface and take on a few volunteers, but I code the site from scratch so I need to find a weekend or so to set aside to do this (same goes for e-mail verification). Thanks, all, for your generous help.