Russian bots again straining this forum

PaulStoffregen

PaulStoffregen

Well-known member
The bots that caused trouble earlier this year are back again. Or they never really left, but blocking slowed them down and increasing memory limits let this server to handle the load... until now.

We were down for at least 6 minutes yesterday (maybe longer?) according to a few thousand lines in an error log. :(

If you see the forum down for an hour or two, please email me directly. The problems usually manifest as an error about some particular table being full, or the site just doesn't respond at all to most requests and painfully slow when it can load pages.
 
Looks like the bot troubles might be 2 or 3 distinct groups.

Russians are definitely behind a campaign attempting to create forum accounts. Even though the problem has been ongoing and seems to have massively increased a few weeks ago, it really got my attention just a few days ago. Some of that traffic is actually from Russia, but most is through shady VPN services. I'm pretty sure it's all from Russia, because the accounts which don't get immediately rejected end up being accessed from a huge number of different IP netblocks, mostly VPNs but also some directly from Russia. While digging into the details, about half of the VPNs are from PureVoltage Hosting who have a pretty bad reputation. Some of the PureVoltage netblocks which are now registered as USA are actually portions of larger Russian IP netblocks which I banned a couple years ago.

However, other bot activity seems to be just accessing the site without attempting to create accounts. Google, Bing/Microsoft, Facebook and plenty of others do this without causing problems. But someone accessing mostly from Vietnam, China plus a massive global botnet occasionally hits the site at over 100 requests per second, which seems to be the limit where we start to run out of resources. Their software is probably designed around different forums. It's easy to spot in the server log because they add a big query string to every request, which XenForo does sometimes use but it isn't part of normal traffic. This morning has about 650,000 accessing in the server log from midnight to 5am, almost all apparently from this botnet judging by the look of those URLs with not-normally-used query strings.

A third group that I believe may be low wage human workers rather than bots regularly hits the site from Bangladesh, Pakistan and India. Most of the spam we actually see comes from them. Reporting those spams really does work. Currently we have a policy where 3 reports sends a message to the moderation queue, effectively removing it from public view. So when you see spam here, please report it. No need to type any explanation in the report other than "spam". Quick reports do get them off the public site.
 
Last edited:
I've recently taken a few steps to deal with the Russian bots creating new accounts.
  1. Banned 114 netblocks. Will give the list & details below.
  2. Registration now rejects anything from PureVoltage ASN 26548.
  3. Registration now checks GetIPIntel.net Proxy / VPN / Bad IP.
Just banning those 114 netblocks reduced the bogus new account creation from one every few minutes to about one every couple hours. Still several are coming in from PureVoltage IP numbers I didn't block, so allowing IP numbers but automatically rejecting registrations from ASN 26548 is helping too. It's too early to tell how effective #3 is (also allows the IP number to access the forum but rejects registration if GetIPIntel says they're a bad actor), but I saw in the log it passed the 1 legitimate new account created this morning and has rejected (but not blocked) the others which were clearly from the Russian bots. Fortunately the rate is now slow enough that I can look carefully at the logs.

XenForo is designed for spammer accounts to be "rejected" but not deleted, so at least for now I'm going to leave this massive number of rejected accounts in place. In theory this is supposed to allow anti-spam measures to use the info collected from rejected accounts. But in practice, these bots are scattering their usage of IP numbers within these blocks, and at least so far the anti-spam measures look for identical IP number. The bot authors seem to know this and regularly have their access switch to a different IP within the netblock. They usually access the account from a different netblock on each attempt.

They also seem to have a practice of divvying up their netblocks into smaller chunks across different providers. Several of these /22 ranges (a block of 1024 IP addresses) were partially in PureVoltage ASN 26548, and partly in other ASNs. While digging I found many small netblocks within each ASN were registered with these names:
  • Fine Group Servers Solutions
  • TrafficTransitSolution LLC
  • Beyond Tomorrow Ltd
  • Blazing SEO, LLC
  • Sprious LLC
  • Emeigh Investments LLC
  • Ivan Bulavkin
  • Alaxona Internet Inc
Here's the list of recently banned netblocks. This isn't all of the problem, but these are the lion's share of the IP numbers used by these bots over the last few weeks.

Code: 
5.181.168.0/22
5.183.252.0/22

23.230.223.0/24

31.40.192.0/23
31.40.195.0/24
31.134.0.0/16

45.10.164.0/22
45.66.208.0/22
45.80.104.0/23
45.88.13.0/24
45.132.184.0/22
45.133.112.0/22
45.135.0.0/22
45.136.24.0/22
45.138.100.0/22
45.140.204.0/22
45.145.128.0/22
45.147.0.0/20
45.147.232.0/22
45.148.124.0/22
45.148.232.0/22
45.159.16.0/21

62.3.0.0/21

64.49.36.0/22

77.81.65.170
77.83.24.0/22
77.220.192.0/22
77.243.88.0/22

83.97.116.0/22
83.142.52.0/22
83.143.104.0/22
83.171.224.0/22

88.218.44.0/22

89.19.34.0/23
89.47.55.0/24
89.116.156.0/22

91.132.124.0/22
91.242.228.0/23

93.177.94.0/23
93.177.116.0/22

94.154.124.0/22

108.165.0.0/16

130.49.8.0/22
130.49.76.0/22
130.49.112.0/22

140.235.0.0/22
140.235.168.0/22

141.98.84.0/23

142.111.0.0/16

146.19.76.0/22
146.19.88.0/22
146.19.140.0/24
146.70.0.0/16

147.78.180.0/22

149.88.16.0/20

154.210.96.0/19

155.212.36.0/22
155.212.108.0/22

161.115.232.0/21

166.0.128.0/17
166.1.131.0/24
166.88.171.0/24
166.88.172.0/24

167.253.16.0/22
167.253.48.0/22

168.91.8.0/21
168.91.32.0/20

170.168.28.0/22
170.168.96.0/22
170.168.172.0/22
170.168.240.0/22
170.199.224.0/21

176.126.111.0/24

178.20.28.0/22
178.20.212.0/22

181.214.80.149

185.61.216.0/21
185.68.185.0/24
185.68.244.0/22
185.77.220.0/22
185.81.144.0/22
185.88.100.0/22
185.89.40.0/22
185.94.32.0/22
185.96.36.0/23
185.101.20.0/23
185.102.112.0/22

193.31.126.0/23
193.42.244.0/22
193.56.20.0/22
193.142.36.0/22
193.142.39.190
193.151.188.0/22
193.163.92.0/24
193.187.92.0/22
193.202.8.0/21
193.202.16.0/24
193.202.80.0/21
193.203.8.0/22
193.233.0.0/16

194.99.24.0/22
194.104.8.0/22
194.110.150.0/24
194.180.232.0/23
194.180.236.0/23

199.96.164.0/22

212.87.216.0/22
212.119.40.0/21

213.108.0.0/21
213.232.120.0/22

216.26.224.0/19
216.41.232.0/22
216.213.24.0/21

217.145.224.0/22
 
Last edited:
You must log in or register to reply here.
Back
Top