How to fight off bots attacking your site

robots taking jobs 16
Credit: REUTERS/Stringer

Imagine 60 attacks an hour? Fighting them off and then reporting them is more than a full-time job.


I took over admin duties for a popular community website. It’s popular with bots. The bots have been busy trying to crack the site. They’re getting fairly good. They have a few non-intuitive genuine user names, now that they’ve tried the usual: admin, root, and so forth—with dictionary password attacks.

I installed an app into the website that shows failed administrative logon attempts. There are a number of these apps available, depending on the website engine that’s used. This one in its freeware version will list all of the source IPs and DNS info from the host that tried to attempt a failed login. The IPs can be subsequently blocked. For now.

These failed logons happen at the rate of about more than 60 an hour, each and every hour of the day. Most are in the same IP address blocks, from about 30 different sources. These range from Davis, Calif., to Sydney, Australia, to Dakar Senegal, to Provo, Utah. I’m guessing that the nature of these is that they’re all bots of varying kinds, working slowly and methodically towards getting logon. What the scripts do after that? I’m guessing the results are gruesome, but I can’t know this.

I complain to the source hosting organizations determined by IP and DNS. Sometimes this does the job of killing the attempts. GoDaddy, after a five-minute wait on the phone, was sufficiently abhorred that one of their CIDR blocks was infected badly. Suddenly, their noise stopped. Others, like don’t have a phone, only an email abuse account. Some places don’t even have that.

There is the traditional whois service (available on most modern machines except Windows) or one of many online whois services—to track things down. Traceroute, another app, can try to find the ultimate destination, and failing that, you can try to find DNS records that point to a host IP address block, and who “owns” that. This is where to complain. These are people that can ostensibly do something about the problem. I like, but they refuse anonymous requests unless you’re willing, each time to prove you’re not a robot. Blah.

As the result of a complaint, you might get a response. When and if you can get someone on the phone, they’ll listen, and perhaps commiserate. Once action is taken, then the crack attempt rate goes down to perhaps 59+ per hour, each and every hour.

So: it’s like Whack-A-Crack.

What can be done? You can’t just spend a day at the console, reporting each and every one of the failed admin logon attempts, right?

First, you can vote out every politician that doesn’t know the difference between UDP and a live hand grenade. But public policy is in the dark ages, largely benefiting only the madness of not pressuring the IETF to bring ISPs to task for security madness across Planet Connected Earth. We seem to keep stupid politicians in office because we think we can control them somehow. Trust in government data policy is at an all-time low, barring occasional even temperament at the FCC.

What can be done? You can take the usual security precautions. If you don’t know these by now, give up and go into insurance sales.

It’s a miracle that the site hasn’t been cracked, owing to the designer’s good design, and my predecessor’s intelligence in changing their infrastructure so as to prevent the bots from being able to get in. No one’s attempted other kinds of cracks. Yet.

I propose, therefore, the DirtyBird Protocol. IETF 666-666. It would transmit offender information in XML to a hosting administrative account for investigation. Each ISP would be required to look at the query and deal with it, and then upload the results to The Monster DB of Bad Guys. Failure to do so would revoke any ICANN allocation you had, period, end of business. Your CIDR blocks would be routed-around, goodbye and good riddance. The people that do the XML file send also attach their personal certificate, traceable to a root certificate that has certified them. Auditors found to be compromised have their certs revoked, and must apply for new ones. Summary: you lose your organization’s IP allocations until you address genuine problems, including unauthorized attempted logons to root over SSH, etc etc.

Oh, so you have to hire more personnel to deal with actual problems, dear ISP? Tough bananas. This also goes for your email abuse account problems, dear Google and Yahoo…. for the 20 emails I get per hour that constitute spam, may your business model rot.

Today, I blocked something like a hundred addresses, and this is a tiny site. I can only imagine the threat intelligence specialists minting money until we finally resolve that ISPs must whack errant hosts. Until then, we all suffer.

Must read: Hidden Cause of Slow Internet and how to fix it
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies