: Bot POST flood prevention Since half february I noticed an increase in traffic to a very small website, which started to mail me an access log daily. The bot requests the homepage over and
Since half february I noticed an increase in traffic to a very small website, which started to mail me an access log daily.
The bot requests the homepage over and over, posting some content in a form with a "3+6=?" verification. At first these messages contained links to other websites. Therefor I decided to block with php all messages containing "href", "http", or "www". This removed the spam for a while, but soon new posts were made with random content like "which university you go to", "i am good", ...
So I added a honeypot, a field that should be empty, which in a few hours was overcome by the bot. Then I added a hidden field with an obfuscated timestamp which manages to keep 99,99% of the posts out. So no more bad data is stored, but the bot still uses the website's resources.
The flood consists of thousands of requests, and seems to become more intense over time.
I have found a lot of information which is similar to my problem, but I do not understand how to implement any. How can I prevent this bot from using my website's resources?
Below are an image showing the flood and an excerpt of the access log (in which example.com is actually the website name). These hits are not recorded by google analytics.
188.143.232.26 - - [11/Mar/2016:15:01:52 +0100] "POST /index.php HTTP/1.1" 200 7367 "http://www.example.com/index.php?p=Home" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
188.143.232.26 - - [11/Mar/2016:15:01:53 +0100] "POST /index.php HTTP/1.1" 200 7367 "http://www.example.com/index.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
188.143.232.26 - - [11/Mar/2016:15:01:53 +0100] "POST /index.php HTTP/1.1" 200 7162 "http://www.example.com/index.php?p=Home" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
188.143.232.26 - - [11/Mar/2016:15:01:53 +0100] "POST /index.php HTTP/1.1" 200 7152 "http://www.example.com/index.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
188.143.232.70 - - [11/Mar/2016:15:02:02 +0100] "GET /index.php?p=Home HTTP/1.1" 200 6753 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
188.143.232.70 - - [11/Mar/2016:15:02:02 +0100] "POST /index.php HTTP/1.1" 200 7274 "http://www.example.com/index.php?p=Home" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
188.143.232.70 - - [11/Mar/2016:15:02:02 +0100] "POST /index.php HTTP/1.1" 200 7274 "http://www.example.com/index.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
188.143.232.70 - - [11/Mar/2016:15:02:02 +0100] "POST /index.php HTTP/1.1" 200 7212 "http://www.example.com/index.php?p=Home" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
188.143.232.70 - - [11/Mar/2016:15:02:02 +0100] "POST /index.php HTTP/1.1" 200 7212 "http://www.example.com/index.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
188.143.232.70 - - [11/Mar/2016:15:02:02 +0100] "POST /index.php HTTP/1.1" 200 7230 "http://www.example.com/index.php?p=Home" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
More posts by @Kimberly868
1 Comments
Sorted by latest first Latest Oldest Best
You have a couple of options here that may help:
1) Lock out very old browsers and user agents that don't make sense.
2) Load the form with ajax after JS detects mouse/tap movement and confirms against server side session token.
3) Use a better captcha such as reCaptcha.
4) Use a throttler at a decent rate such as 8-10 requests every 5 secs get blocked for 30.
5) Blacklist every country that you don't need visits from.
6) Blacklist ASN's of top spam hosts/ISP's.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.