Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 10 Jan 2017, 16:46
X-or X-or is offline
 
Join Date: Nov 2005
Heavy hitting IP

hello I would like to know how to handle certain heavy hitting IP

once in a while I look at the awstats logs and find some abnormally heavy hitting IPs
for example

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Not only the page views are abnormally high for a single individual but the page/hit ratio is also abnormal

I don't think it is a ddos attack because I have ddos protection, I assume this activity is the result of some kind of script, not sure if malicious or not

I have two questions :
1. should I ban these IP
2. is there a way to automatically detect this kind of activity and ban the offenders?
Reply With Quote
  #2  
Old 10 Jan 2017, 16:51
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
It could be a crawler or someone running a script, hard to tell. If you have access to your access logs then you should filter it by those IP addresses and see what they are doing.

To answer your questions:
1. You could if you think it's fishy, but you don't know whether they have a dynamic or static IP. Banning dynamic IP addresses is pretty much useless.
2. It depends on what they are doing. If it's a flood then your DDoS protection should block it. It's hard to tell from our position. Check your access logs and find out what it's doing.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #3  
Old 10 Jan 2017, 17:05
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
You could ask those members what they are doing and tell them to stop.
Worst case scenario, ask your host to tweak your settings or implement a JavaScript check screen. CloudFlare does this to prevent attacks or to lower impact on the server since bots usually don't have JavaScript support.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #4  
Old 10 Jan 2017, 17:19
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
It checks whether the user has JavaScript enabled. You can't implement it, it has to be enabled by your host but not all hosting companies provide such feature.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #5  
Old 10 Jan 2017, 17:39
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
Alternative? Use CloudFlare, Incapsula or Securi.
They all provide website and DDoS protection services which all only require a change to your domain its name-servers.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #6  
Old 10 Jan 2017, 17:40
Paul M's Avatar
Paul M Paul M is offline
 
Join Date: Sep 2004
Real name: Paul M
What problem is it actually causing you ?
__________________
Former vBulletin.org Staff Member


Cable Forum
Please do not PM me about custom work - I no longer undertake any.
Note: I will not answer support questions via e-mail or PM - please use the relevant thread or forum.
Reply With Quote
  #7  
Old 10 Jan 2017, 18:09
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
Then I'm afraid there are no other options. The traffic you don't want to be reaching your server has to be stopped before it even reaches your server/network.

A PHP script will not help you with that since it will be hitting that PHP script and still cause "load" on your server. Then you have to figure out the patterns of those bots and make rules in the PHP script that block these requests.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #8  
Old 10 Jan 2017, 20:37
Paul M's Avatar
Paul M Paul M is offline
 
Join Date: Sep 2004
Real name: Paul M
Originally Posted by X-or View Post
Not entirely sure
The might I suggest you stop worrying about a problem you dont have.


Originally Posted by X-or View Post
but sometimes my sites are kind of slow, despite having enough power to deal with the traffic
Which seems contradictory, but many things can make a site seem slow at times, many having nothing to do with the site itself.

You seem to be inventing an issue where you have no actual proof there is a problem.
__________________
Former vBulletin.org Staff Member


Cable Forum
Please do not PM me about custom work - I no longer undertake any.
Note: I will not answer support questions via e-mail or PM - please use the relevant thread or forum.
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 12:05.

Layout Options | Width: Wide Color: