Path: ...!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: legg <legg@nospam.magma.ca>
Newsgroups: sci.electronics.design
Subject: Re: Chinese downloads overloading my website
Date: Tue, 12 Mar 2024 09:50:50 -0400
Organization: A noiseless patient Spider
Lines: 75
Message-ID: <70n0vi13000bi6v7cgksmn2a2j5dccr5lh@4ax.com>
References: <7qujui58fjds1isls4ohpcnp5d7dt20ggk@4ax.com> <6lekuihu1heui4th3ogtnqk9ph8msobmj3@4ax.com> <usec35$130bu$1@solani.org> <u14quid1e74r81n0ajol0quthaumsd65md@4ax.com> <usjiog$15kaq$1@solani.org> <t7rrui5ohh07vlvn5vnl277eec6bmvo4p9@4ax.com> <usm6v6$17e2c$1@solani.org> <usm96m$3fkqg$1@dont-email.me> <usmkb9$17l2r$1@solani.org> <du5uuih5e5d4ugd7ru8oo0gb6ppenjrtdd@4ax.com> <usn5j7$3lod7$1@dont-email.me> <kmduuilbvdjssqjda1i21d9b08vrk4t86j@4ax.com> <usp7vj$7dna$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Injection-Info: dont-email.me; posting-host="ac816da389ab38876de990b7a08afd3f";
	logging-data="348411"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX1/cS2t/FTn6VTsBpKb9/u1F"
Cancel-Lock: sha1:pVB3tXSV6x2H+OB/j9xa96HxXAI=
X-Newsreader: Forte Agent 4.2/32.1118
Bytes: 4309

On Tue, 12 Mar 2024 09:41:00 +0000, Martin Brown
<'''newspam'''@nonad.co.uk> wrote:

>On 11/03/2024 16:57, legg wrote:
>> On Mon, 11 Mar 2024 07:48:04 -0700, Don Y
>> <blockedofcourse@foo.invalid> wrote:
>> 
>>> On 3/11/2024 7:40 AM, legg wrote:
>>>> Blocking a single IP hasn't worked for my ISP.
>>>
>>> It won't.  Even novice users can move to a different IP using reeadily
>>> available mechanisms.
>>>
>>> Whitelisting can work (which is the approach that I use) but
>>> it assumes you know who you *want* to access your site.
>>>
>>> (It's a lot harder to guess a permitted IP than it is to avoid
>>> an obviously BLOCKED one!)
>>>
>>>> Each identical 17G download block (262 visits)was by a new IP
>>>> in a completely different location/region.
>>>>
>>>> Beijing, Hearbin, Henan, a mobile and a fifth, so far untraced
>>>> due to suspension of my site.
>>>
>>> There's a reason things like "captcha" exist.
>>>
>>> Note that this still doesn't prevent the *page(s)* from being repeatedly
>>> accessed.  But, presumably, their size is considerably smaller than
>>> that of the payloads you want to protect.
>>>
>>> OTOH, if someone wants to shut down your account due to an exceeded
>>> quota, they can keep reloading those pages until they've eaten up your
>>> traffic quota.  And, "they" can be an automated process!
>>>
>>> [Operating a server in stealth mode can avoid this.  But, then
>>> you're not "open to the public"!  :> ]
>> 
>> Doing some simple experiments by temporarily renaming/replacing
>> some of the larger files being tageted, just to see how the bot
>> reacts to the new environment. If they find renamed files it
>> means something. If visits to get the same 17G alter it means
>> something else.
>> 
>> This all at the expense and patience of my ISP. Thumbs up there.
>
>Why don't you block entire blocks of Chinese IP addresses that contain 
>the ones that have attacked you until the problem ceases?
>eg. add a few banned IP destinations to your .htaccess file
>
>https://htaccessbook.com/block-ip-address/
>
>1.80.*.* thru 1.95.*.*
>101.16.*.* thru 101.16.*.*
>101.144.*.* thru 101.159.*.*
>
>If you block just a few big chunks it should make some difference.
>You might have to inflict a bit of collateral damage in the 101.* range.
>
>Otherwise you are stuck with adding some Captcha type thing to prevent 
>malicious bots hammering your site. I'm a bit surprised that your ISP 
>doesn't offer or have site wide countermeasures for such DOS attacks.

My ISP has blocked all China IP addresses from accessing the 
site.

Maybe that's what the bots want; who knows?

Haven't had access to the site to find out what the practical result 
was, yet, or what the final probing looked like. Whatever it was, it 
didn't result in another 17G block download, before the automated 
account suspension reasserted itself, which was the last case 
examined. (went 14G overlimit for full 17G load). 

RL