fake phpBB user sessions crashing server

[joey]

There's a flood of fake phpBB user sessions, coming from numerous different IP addresses, crashing the whole server every few hours.

Probably spambots.

Fellow admins: any thoughts on solving this?

Note that I tried my best to install bad behavior, but its header-pushing ways conflicted with sessions.php and page_header.php no matter what I tried.

Joey
www.webcomicsnation.com

[joey]

A large number of the spambots seem to have IP addresses that resolved to:

red.telefonica-wholesale.net

I know that Reinder has banned an entire ISP or two before, but I don't know how to do this. Any help?

Joey

[reinder]

Are there any consecutive IP ranges you can find? I can at least ban those.
By the way, from Samspade.org it looks like the Telefonica in that address is the same Telefonica, in Spain, that owned the IP ranges I banned earlier.

Two problems with banning all of Telefonica:

1) They are a near-monopolist in Spain;
2) They are aggressively expanding into other countries, buying up ISPs and privatised telephone companies left and right. One of the companies they have their eyes on is the Dutch Telephone Company KPN, which owns several of the largest ISPs in the Netherlands. The collateral damage would, in other words, be considerable, bordering on making TAC an Anglosphere-only shop.

Reasons to do it anyway:
Telefonica has a reputation for being completely unresponsive to complaints about spam and generally deserve to be destroyed. The collateral damage would be considerable but so would the contribution to solving the spam problem.
_________________
Reinder Dijkhuis
Rogues of Clwyd-Rhan | Blog |
Preorder Headsmen minicomic now

[joey]

Okay, so, here's the thing.

I looked at the user sessions in the actual database table, and I found some weirdnesses with the spambots:

1. They were showing up with user_id numbers that were less than -1. Apparantly a non-logged-in user is supposed to show up with a user_id of -1 (I tested this myself while I had the TAC forums hidden on the server, by coming to the site as a non-logged-in user), and a logged-in user, of course, shows up with his/her actual user id in the sessions table. These guys were showing up with user id numbers of -6 or -8 or -9, which technically shouldn't be possible -- meaning that they are probably screwing with the scripts by sending along weird querystrings -- perhaps this is a new bug in phpBB that is just now being exploited (I've noticed that most of the bugs in phpBB in the past have related to poor filtering of user input). So I changed sessions.php to take any user session that is less than -1 and change it to -1 before adding it to the database.

2. They were showing up with page numbers that were also negative. I changed sessions.php to die if a user requested a page number that was negative.

This seems to have stabilized the server for now, though we are still getting flooded.

Joey
www.talkaboutcomics.com

[joey]

After running unabated for about two weeks, the flood seems to have ended just as abruptly as it began.

Weird.

Maybe EV1 (or somebody further upstream) put some sort of filtering mechanism in place for whatever kinds of requests the flooders were making.

Joey
www.webcomicsnation.com

[joey]

Well, they're back, and they managed to crash the server again.

Joey