Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Page 1 of 4 1 2 3 ... LastLast
Results 1 to 10 of 38
  1. #1
    Unpaid WDF Intern TheGAME1264's Avatar
    Join Date
    Dec 2002
    Location
    Not from USA
    Posts
    14,485
    Member #
    425
    Liked
    2783 times
    Hi guys,

    This isn't actually my server. it's a client's. I'm going to keep the client nameless (mostly because of the client's client), but the hosting plan is a HostGator VPS.

    I saw this report from the Parallels Power Panel, and the incoming traffic seems disproportionately high compared to outgoing (I would have thought incoming would be a lot less). I'm unfamiliar with PPP, however, and I'm wondering if anyone has seen something similar.

    Thanks.

    bot-traffic-log.png
    If I've helped you out in any way, please pay it forward. My wife and I are walking for Autism Speaks. Please donate, and thanks.

    If someone helped you out, be sure to "Like" their post and/or help them in kind. The "Like" link is on the bottom right of each post, beside the "Share" link.

    My stuff (well, some of it): My bowling alley site | Canadian Postal Code Info (beta)

  2.  

  3. #2
    Banned
    Join Date
    May 2011
    Location
    Fairfax, CA
    Posts
    2,036
    Member #
    28003
    Liked
    126 times
    It could be some sort of DDos Attack?

  4. #3
    Senior Member Webzarus's Avatar
    Join Date
    May 2011
    Location
    South Carolina Coast
    Posts
    3,322
    Member #
    27709
    Liked
    770 times
    At that level of traffic ( GB ), over a months period, hard to say, only way to really tell what's going on there. You have access to log files ? Could be someone ( client, hosting provider or someone else's ) has some sort of monitoring going on ? Is that panel restricted to port 80 traffic on tcp protocols ? Or Is that all protocols ? I've seen some of those traffic monitors setup incorrectly where they log "all connections on all protocols to make it look like you're getting more traffic ), when in fact the host was actually running a background monitor that was using ICMP to verify uptime but also making the site look like its getting more request than it actually was.

    If the monitor is not setup to exclude everything except port 80 & 443 ( if running SSL ), then any type of port scanning tool can skew the numbers.

  5. #4
    Unpaid WDF Intern TheGAME1264's Avatar
    Join Date
    Dec 2002
    Location
    Not from USA
    Posts
    14,485
    Member #
    425
    Liked
    2783 times
    I ended up finding it in the raw logs. It was a rogue torrent bot sending false HEAD requests, among other things. Thanks.
    If I've helped you out in any way, please pay it forward. My wife and I are walking for Autism Speaks. Please donate, and thanks.

    If someone helped you out, be sure to "Like" their post and/or help them in kind. The "Like" link is on the bottom right of each post, beside the "Share" link.

    My stuff (well, some of it): My bowling alley site | Canadian Postal Code Info (beta)

  6. #5
    Senior Member Webzarus's Avatar
    Join Date
    May 2011
    Location
    South Carolina Coast
    Posts
    3,322
    Member #
    27709
    Liked
    770 times
    Good to know , didn't think of that.

    Had the site been compromised in the past ? Just wondering why a torrent bot would try to connect to a clean site ?

  7. #6
    Unpaid WDF Intern TheGAME1264's Avatar
    Join Date
    Dec 2002
    Location
    Not from USA
    Posts
    14,485
    Member #
    425
    Liked
    2783 times
    That's what I just learned today...the domains (it's actually a site with 44,000 different domains set up for a registry company) were previously used. The previous development company was upset that they lost the contract, and to get a few bucks on the way out (and to be malicious) pointed the domains at Viagra sites, affiliate car rental sites, and all sorts of other stuff. So something probably happened that was related to trigger it.
    If I've helped you out in any way, please pay it forward. My wife and I are walking for Autism Speaks. Please donate, and thanks.

    If someone helped you out, be sure to "Like" their post and/or help them in kind. The "Like" link is on the bottom right of each post, beside the "Share" link.

    My stuff (well, some of it): My bowling alley site | Canadian Postal Code Info (beta)

  8. #7
    Senior Member Webzarus's Avatar
    Join Date
    May 2011
    Location
    South Carolina Coast
    Posts
    3,322
    Member #
    27709
    Liked
    770 times
    And that's why any company with that many resources have a firewall in place...

    If they don't, they are just asking for problems because if these bots are making that many head request, they are also sending out other protocol request that aren't showing in the web hosting monitor ( that typically only sees HTTP request ), but the network card is getting hit with all the other protocol request.

    Since this site is on a vps perhaps they run it through a firewall and filter the non port 80 / 443 request ? Don't know.

  9. #8
    Unpaid WDF Intern TheGAME1264's Avatar
    Join Date
    Dec 2002
    Location
    Not from USA
    Posts
    14,485
    Member #
    425
    Liked
    2783 times
    You would think that, but then again the end company in question isn't particularly on the ball despite being a registry. They have their own servers in multiple countries, but my client ended up needing to get a VPS to host the domains themselves.

    It is run through a firewall since HostGator is the host but they don't really have much of a clue when it comes to bot blocking. I'm not an expert on it by any means, either, but these guys are really not dialed in.
    If I've helped you out in any way, please pay it forward. My wife and I are walking for Autism Speaks. Please donate, and thanks.

    If someone helped you out, be sure to "Like" their post and/or help them in kind. The "Like" link is on the bottom right of each post, beside the "Share" link.

    My stuff (well, some of it): My bowling alley site | Canadian Postal Code Info (beta)

  10. #9
    Senior Member Webzarus's Avatar
    Join Date
    May 2011
    Location
    South Carolina Coast
    Posts
    3,322
    Member #
    27709
    Liked
    770 times
    If they are legitimate torrent bots they are going to be coming from the same ip blocks for most request. If they are rogue bots, like spam bots, they are going to becoming from a round robin list if IP's that some will be running through proxy servers and or spoofed IP's.

    Doing reverse DNS lookups will show if they are coming from say a spoofed IP address running on time Warner cable in SC or Comcast in NJ. If they appear to be spoofed, I'd request a 3-6 month block for this IP addresses by the host firewall.

    Typically, when any of my clients are getting hit by spam bots hard and heavy, I send an abuse report to the ip block manager informing them that someone is abusing their network or spoofing an IP address from their ip block. If they are actually coming from their network, they will isolate them and fix the issue ( someone has an open wifi connection ), if its spoofed, then they've probably left a DNS permission for update left open somewhere.

    This usually only works and is addressed by US based carriers, although I've gotten some good responses from some EU providers for pointing out something they are not aware of. Other cases, I never hear anything from them ( embarrassment or arrogance probably ), but the spoofing or traffic from their network stops.

    Never had any issues resolved by reporting china based issues, I usually just end up blocking them from my firewall.

    Most spam bots and torrent bot operators are script kiddies which means if you get the IP address holders to fix their issues allowing the script kiddies to run their programs, you take a bunch of them out by them just doing their job ( securing their networks ).

  11. #10
    Banned
    Join Date
    May 2011
    Location
    Fairfax, CA
    Posts
    2,036
    Member #
    28003
    Liked
    126 times
    You could put the sites through CloudFlare


Page 1 of 4 1 2 3 ... LastLast

Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Search tags for this page

hostgator setup parallels power panel

,

parallels panel ip ban

Click on a term to search for related topics.
All times are GMT -6. The time now is 07:17 AM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com