jws2bay
asked on
Bot is getting around filters and honey pot
Our site was attacked by a bot last night. The bot found our 'Contact Request" page and the attack started. Tons of emails started hitting the mail boxes in sales. I have been using a honey pot and input filters up to now, but this is not enough.
I am working with mySQL/php. The disabled page is https://www.glassdivider.com/W3-Contact_us.php
Looking at the emails I can see what the bot has been trying. I don't understand how the bot is setting up the inputs. I'm seeing all characters in fields I restrict the inputs. Like the zip code field is restricted to numbers only, but the bot is putting everything into the field. I am check the field content on "onKeyUp" and "onKeyDown" which means the bot must not fill in the form. The bot must be assigning the fields a value and then submitting it.
I need some help understanding what's happening, and how to prevent this problem.
I am working with mySQL/php. The disabled page is https://www.glassdivider.com/W3-Contact_us.php
Looking at the emails I can see what the bot has been trying. I don't understand how the bot is setting up the inputs. I'm seeing all characters in fields I restrict the inputs. Like the zip code field is restricted to numbers only, but the bot is putting everything into the field. I am check the field content on "onKeyUp" and "onKeyDown" which means the bot must not fill in the form. The bot must be assigning the fields a value and then submitting it.
I need some help understanding what's happening, and how to prevent this problem.
How to prevent it ... ?
1. As David says, force a CAPTCHA and set the reliability level high. This will not stop all attacks (there are people on Amazon Mechanical Turk who do CAPTCHAs all day for $0.01 apiece) but it will help enormously.
2. Do some validation back at the server. When an obviously invalid input is seen, don't just log it. Lock out that IP address for a day.
3. Don't serve places that you don't serve. If your business is not world-wide, don't serve areas you don't target. If your business is North American, use iptables to eliminate all country codes except CA and US. Completely block all IPv4 allocations for APNIC and LACNIC; this alone cuts attacks by three-quarters. If you don't do business overseas at all, lockout all RIPE allocations too.
4. Don't serve places that you don't serve, part 2: Block all IPv4 assignments belonging to server farms and in particular, Godaddy, Google, Azure and Amazon. You would not believe the number of /16 blocks that Amazon uses for "cloud servers" and every one of them is 65,536 addresses waiting to spam you (see below.) This requires some manual lookup but the results are worth it.
The objection will be made "But this will lock out some VPNs and other legitimate users." Indeed. You must decide whether the tradeoff is worth it, but I/M/O very few legitimate users should be emanating from server blocks.
Finally: Now that a bot has found a point of entry, expect the problem to persist a while. Your domain name and that URL have been sold into the dark web and you can expect to see the problem continue and possibly get worse. Change the URL of your contact page immediately, update the links on your site to reflect the new URL, and continue changing it weekly.
1. As David says, force a CAPTCHA and set the reliability level high. This will not stop all attacks (there are people on Amazon Mechanical Turk who do CAPTCHAs all day for $0.01 apiece) but it will help enormously.
2. Do some validation back at the server. When an obviously invalid input is seen, don't just log it. Lock out that IP address for a day.
3. Don't serve places that you don't serve. If your business is not world-wide, don't serve areas you don't target. If your business is North American, use iptables to eliminate all country codes except CA and US. Completely block all IPv4 allocations for APNIC and LACNIC; this alone cuts attacks by three-quarters. If you don't do business overseas at all, lockout all RIPE allocations too.
4. Don't serve places that you don't serve, part 2: Block all IPv4 assignments belonging to server farms and in particular, Godaddy, Google, Azure and Amazon. You would not believe the number of /16 blocks that Amazon uses for "cloud servers" and every one of them is 65,536 addresses waiting to spam you (see below.) This requires some manual lookup but the results are worth it.
The objection will be made "But this will lock out some VPNs and other legitimate users." Indeed. You must decide whether the tradeoff is worth it, but I/M/O very few legitimate users should be emanating from server blocks.
Finally: Now that a bot has found a point of entry, expect the problem to persist a while. Your domain name and that URL have been sold into the dark web and you can expect to see the problem continue and possibly get worse. Change the URL of your contact page immediately, update the links on your site to reflect the new URL, and continue changing it weekly.
# ========================= AMAZON LOCKOUTS BEGIN =========================
# ==== 3.8, 3.9, 3.10, 3.11
$iptloc -t filter -A $chname -s 3.8.0.0/14 -p tcp -j REJECT
# ==== 3.13
$iptloc -t filter -A $chname -s 3.13.0.0/16 -p tcp -j REJECT
# ==== 3.14, 3.15
$iptloc -t filter -A $chname -s 3.14.0.0/15 -p tcp -j REJECT
# ==== 3.16, 3.17, 3.18, 3.19
$iptloc -t filter -A $chname -s 3.16.0.0/14 -p tcp -j REJECT
# ==== 3.80, 3.81, 3.82, 3.83, 3.84, 3.85, 3.86, 3.87
# ==== 3.88, 3.89, 3.90, 3.91, 3.92, 3.93, 3.94, 3.95
$iptloc -t filter -A $chname -s 3.80.0.0/12 -p tcp -j REJECT
# ==== 3.120, 3.121, 3.122, 3.123
$iptloc -t filter -A $chname -s 3.120.0.0/14 -p tcp -j REJECT
# ==== 3.208, 3.209, 3.210, 3.211, 3.212, 3.213, 3.214, 3.215
# ==== 3.216, 3.217, 3.218, 3.219, 3.220, 3.221, 3.222, 3.223
$iptloc -t filter -A $chname -s 3.208.0.0/12 -p tcp -j REJECT
# ==== 3.227
$iptloc -t filter -A $chname -s 3.227.0.0/16 -p tcp -j REJECT
# ==== 13.52
$iptloc -t filter -A $chname -s 13.52.0.0/16 -p tcp -j REJECT
# ==== 13.56, 13.57, 13.58, 13.59 ====
$iptloc -t filter -A $chname -s 13.56.0.0/14 -p tcp -j REJECT
# ==== 13.124 ====
$iptloc -t filter -A $chname -s 13.124.0.0/16 -p tcp -j REJECT
# ==== 18.130
$iptloc -t filter -A $chname -s 18.130.0.0/16 -p tcp -j REJECT
# ==== 18.144
$iptloc -t filter -A $chname -s 18.144.0.0/16 -p tcp -j REJECT
# ==== 18.184, 18.185
$iptloc -t filter -A $chname -s 18.184.0.0/15 -p tcp -j REJECT
# ==== 18.188
$iptloc -t filter -A $chname -s 18.188.0.0/16 -p tcp -j REJECT
# ==== 18.191
$iptloc -t filter -A $chname -s 18.191.0.0/16 -p tcp -j REJECT
# ==== 18.194, 18.195 ====
$iptloc -t filter -A $chname -s 18.194.0.0/15 -p tcp -j REJECT
# ==== 18.196, 18.197 ====
$iptloc -t filter -A $chname -s 18.196.0.0/15 -p tcp -j REJECT
# ==== 18.204
$iptloc -t filter -A $chname -s 18.204.0.0/16 -p tcp -j REJECT
# ==== 18.206, 18.207
$iptloc -t filter -A $chname -s 18.206.0.0/15 -p tcp -j REJECT
# ==== 18.208, 18.209
$iptloc -t filter -A $chname -s 18.208.0.0/15 -p tcp -j REJECT
# ==== 18.210
$iptloc -t filter -A $chname -s 18.210.0.0/16 -p tcp -j REJECT
# ==== 18.212 - 18.213
$iptloc -t filter -A $chname -s 18.212.0.0/15 -p tcp -j REJECT
# ==== 18.215
$iptloc -t filter -A $chname -s 18.215.0.0/16 -p tcp -j REJECT
# ==== 18.217
$iptloc -t filter -A $chname -s 18.217.0.0/16 -p tcp -j REJECT
# ==== 18.218, 18.219 ====
$iptloc -t filter -A $chname -s 18.218.0.0/15 -p tcp -j REJECT
# ==== 18.220, 18.221, 18.222, 18.223 ====
$iptloc -t filter -A $chname -s 18.220.0.0/14 -p tcp -j REJECT
# ==== 18.224, 18.225
$iptloc -t filter -A $chname -s 18.224.0.0/15 -p tcp -j REJECT
# ==== 18.232, 18.233
$iptloc -t filter -A $chname -s 18.232.0.0/15 -p tcp -j REJECT
# ==== 18.235
$iptloc -t filter -A $chname -s 18.235.0.0/16 -p tcp -j REJECT
# ==== 18.236, 18.237
$iptloc -t filter -A $chname -s 18.236.0.0/15 -p tcp -j REJECT
# ==== 23.20, 23.21 ====
$iptloc -t filter -A $chname -s 23.20.0.0/15 -p tcp -j REJECT
# ==== 23.22 ====
# ==== 23.23 ====
$iptloc -t filter -A $chname -s 23.23.0.0/16 -p tcp -j REJECT
# ==== 34.192 ====
$iptloc -t filter -A $chname -s 34.192.0.0/16 -p tcp -j REJECT
# ==== 34.193 ====
# ==== 34.194, 34.195
$iptloc -t filter -A $chname -s 34.194.0.0/15 -p tcp -j REJECT
# ==== 34.196
# ==== 34.197
# ==== 34.198
$iptloc -t filter -A $chname -s 34.198.0.0/16 -p tcp -j REJECT
# ==== 34.199
# ==== 34.200, 34.201 ====
$iptloc -t filter -A $chname -s 34.200.0.0/15 -p tcp -j REJECT
# ==== 34.202
# ==== 34.203
$iptloc -t filter -A $chname -s 34.203.0.0/16 -p tcp -j REJECT
# ==== 34.204, 34.205 ====
$iptloc -t filter -A $chname -s 34.204.0.0/15 -p tcp -j REJECT
# ==== 34.206
# ==== 34.207 ====
$iptloc -t filter -A $chname -s 34.207.0.0/16 -p tcp -j REJECT
# ==== 34.208 - 34.223
$iptloc -t filter -A $chname -s 34.208.0.0/12 -p tcp -j REJECT
# ==== 34.224 ====
$iptloc -t filter -A $chname -s 34.224.0.0/16 -p tcp -j REJECT
# ==== 34.225 ====
# ==== 34.226, 34.227 ====
$iptloc -t filter -A $chname -s 34.226.0.0/15 -p tcp -j REJECT
# ==== 34.228, 34.229, 34.230, 34.231 ====
$iptloc -t filter -A $chname -s 34.228.0.0/14 -p tcp -j REJECT
# ==== 34.232 ====
$iptloc -t filter -A $chname -s 34.232.0.0/16 -p tcp -j REJECT
# ==== 34.233 ====
# ==== 34.234, 34.235 ====
$iptloc -t filter -A $chname -s 34.234.0.0/15 -p tcp -j REJECT
# ==== 34.236 ====
$iptloc -t filter -A $chname -s 34.236.0.0/16 -p tcp -j REJECT
# ==== 34.237 ===-
# ==== 34.238, 34.239 ====
$iptloc -t filter -A $chname -s 34.238.0.0/15 -p tcp -j REJECT
# ==== 34.240, 34.241 ====
$iptloc -t filter -A $chname -s 34.240.0.0/15 -p tcp -j REJECT
# ==== 34.242, 34.243 ====
$iptloc -t filter -A $chname -s 34.242.0.0/15 -p tcp -j REJECT
# ==== 34.244, 34.245 ====
$iptloc -t filter -A $chname -s 34.244.0.0/15 -p tcp -j REJECT
# ==== 34.246 ====
# ==== 34.247 ====
$iptloc -t filter -A $chname -s 34.247.0.0/16 -p tcp -j REJECT
# ==== 34.248, 34.249 ====
$iptloc -t filter -A $chname -s 34.248.0.0/15 -p tcp -j REJECT
# ==== 34.249 ====
# ==== 34.250, 34.251 ====
$iptloc -t filter -A $chname -s 34.250.0.0/15 -p tcp -j REJECT
# ==== 34.252, 34.253 ====
$iptloc -t filter -A $chname -s 34.252.0.0/15 -p tcp -j REJECT
# ==== 34.254 ====
# ==== 34.255 ====
# ==== 35.153 ====
$iptloc -t filter -A $chname -s 35.153.0.0/16 -p tcp -j REJECT
# ==== 35.156, 35.157, 35.158, 35.159 ====
$iptloc -t filter -A $chname -s 35.156.0.0/14 -p tcp -j REJECT
# ==== 35.160 ====
$iptloc -t filter -A $chname -s 35.160.0.0/16 -p tcp -j REJECT
# ==== 35.161 ====
$iptloc -t filter -A $chname -s 35.161.192.0/18 -p tcp -j REJECT
# ==== 35.162, 35.163 ====
$iptloc -t filter -A $chname -s 35.162.0.0/15 -p tcp -j REJECT
# ==== 35.164, 35.165, 35.166, 35.167 ====
$iptloc -t filter -A $chname -s 35.164.0.0/14 -p tcp -j REJECT
# ==== 35.168, 35.169, 35.170, 35.171, 35.172, 35.173
# 35.174, 35.175
$iptloc -t filter -A $chname -s 35.168.0.0/13 -p tcp -j REJECT
# ==== 35.176, 35.177, 35.178, 35.179 ====
$iptloc -t filter -A $chname -s 35.176.0.0/14 -p tcp -j REJECT
# ==== 35.180
$iptloc -t filter -A $chname -s 35.180.0.0/16 -p tcp -j REJECT
# ==== 46.51.128 - 46.51.191 ====
# $iptloc -t filter -A $chname -s 46.51.128.0/18 -p tcp -j REJECT
# ==== 46.137.0 - 46.137.127 ====
$iptloc -t filter -A $chname -s 46.137.0.0/17 -p tcp -j REJECT
# ==== 50.16 - 50.17 ====
$iptloc -t filter -A $chname -s 50.16.0.0/15 -p tcp -j REJECT
# ==== 50.18 ====
$iptloc -t filter -A $chname -s 50.18.0.0/16 -p tcp -j REJECT
# ==== 50.19 ====
$iptloc -t filter -A $chname -s 50.19.0.0/16 -p tcp -j REJECT
# ==== 50.112 ====
$iptloc -t filter -A $chname -s 50.112.0.0/16 -p tcp -j REJECT
# ==== 52.0 - 52.63 ====
# ==== 52.0, 52.1, 52.2, 52.3
$iptloc -t filter -A $chname -s 52.0.0.0/14 -p tcp -j REJECT
# ==== 52.4, 52.5 ====
$iptloc -t filter -A $chname -s 52.4.0.0/15 -p tcp -j REJECT
# ==== 52.6 ====
# ==== 52.7 ====
# ==== 52.8 ====
$iptloc -t filter -A $chname -s 52.8.0.0/16 -p tcp -j REJECT
# ==== 52.9 ====
# ==== 52.10, 52.11 ====
$iptloc -t filter -A $chname -s 52.10.0.0/15 -p tcp -j REJECT
# ==== 52.12, 52.13, 52.14, 52.15 ====
$iptloc -t filter -A $chname -s 52.12.0.0/14 -p tcp -j REJECT
# ==== 52.16 ====
$iptloc -t filter -A $chname -s 52.16.0.0/16 -p tcp -j REJECT
# ==== 52.18, 52.19 ====
$iptloc -t filter -A $chname -s 52.18.0.0/15 -p tcp -j REJECT
# ==== 52.22, 52.23
$iptloc -t filter -A $chname -s 52.22.0.0/15 -p tcp -j REJECT
# ==== 52.24, 52.25, 52.26, 52.27 ====
$iptloc -t filter -A $chname -s 52.24.0.0/14 -p tcp -j REJECT
# ==== 52.28 ====
# ==== 52.29 ====
$iptloc -t filter -A $chname -s 52.29.0.0/16 -p tcp -j REJECT
# ==== 52.30, 52.31 ====
$iptloc -t filter -A $chname -s 52.30.0.0/15 -p tcp -j REJECT
# ==== 52.32 - 52.39 ====
$iptloc -t filter -A $chname -s 52.32.0.0/13 -p tcp -j REJECT
# ==== 52.40, 52.41, 52.42, 52.43 ====
$iptloc -t filter -A $chname -s 52.40.0.0/14 -p tcp -j REJECT
# ==== 52.44 ====
# ==== 52.45 ====
# ==== 52.46 ====
# ==== 52.47 ====
# ==== 52.48, 52.49, 52.50, 52.51 ====
$iptloc -t filter -A $chname -s 52.48.0.0/14 -p tcp -j REJECT
# ==== 52.52, 52.53
$iptloc -t filter -A $chname -s 52.53.0.0/15 -p tcp -j REJECT
# ==== 52.54 ====
# ==== 52.55 ====
$iptloc -t filter -A $chname -s 52.55.0.0/16 -p tcp -j REJECT
# ==== 52.56 - 52.57 - 52.58 - 52.59 ====
$iptloc -t filter -A $chname -s 52.56.0.0/14 -p tcp -j REJECT
# ==== 52.70 - 52.71 ====
$iptloc -t filter -A $chname -s 52.70.0.0/15 -p tcp -j REJECT
# ==== 52.72 - 52.73 ====
$iptloc -t filter -A $chname -s 52.72.0.0/15 -p tcp -j REJECT
# ==== 52.84 ====
# ==== 52.85 ====
# ==== 52.86, 52.87 ====
$iptloc -t filter -A $chname -s 52.86.0.0/15 -p tcp -j REJECT
# ==== 52.88, 52.89 ====
$iptloc -t filter -A $chname -s 52.88.0.0/15 -p tcp -j REJECT
# ==== 52.89 ====
# ==== 52.90 - 52.91 ====
$iptloc -t filter -A $chname -s 52.90.0.0/15 -p tcp -j REJECT
# ==== 52.92 ====
# ==== 52.93 ====
# ==== 52.94 ====
# ==== 52.95 ====
# ==== 52.192 - 52.223 ====
$iptloc -t filter -A $chname -s 52.192.0.0/11 -p tcp -j REJECT
# ==== 54.64 ====
# ==== 54.65 ====
# ==== 54.66 ====
# ==== 54.67 ====
$iptloc -t filter -A $chname -s 54.67.0.0/16 -p tcp -j REJECT
# ==== 54.68, 54.69 ====
$iptloc -t filter -A $chname -s 54.68.0.0/15 -p tcp -j REJECT
# ==== 54.69 ====
# ==== 54.70, 54.71 ====
$iptloc -t filter -A $chname -s 54.70.0.0/15 -p tcp -j REJECT
# ==== 54.72 ====
$iptloc -t filter -A $chname -s 54.72.0.0/16 -p tcp -j REJECT
# ==== 54.73 ====
# ==== 54.74 ====
# ==== 54.75 ====
# ==== 54.76 - 54.77 ====
$iptloc -t filter -A $chname -s 54.76.0.0/15 -p tcp -j REJECT
# ==== 54.78 ====
# ==== 54.79 ====
$iptloc -t filter -A $chname -s 54.79.0.0/16 -p tcp -j REJECT
# ==== 54.80, 54.81 ====
$iptloc -t filter -A $chname -s 54.80.0.0/15 -p tcp -j REJECT
# ==== 54.82, 54.83 ====
$iptloc -t filter -A $chname -s 54.82.0.0/15 -p tcp -j REJECT
# ==== 54.84 ====
$iptloc -t filter -A $chname -s 54.84.0.0/16 -p tcp -j REJECT
# ==== 54.85 ====
# ==== 54.86 - 54.87 ====
$iptloc -t filter -A $chname -s 54.86.0.0/15 -p tcp -j REJECT
# ==== 54.88, 54.89 ====
$iptloc -t filter -A $chname -s 54.88.0.0/15 -p tcp -j REJECT
# ==== 54.90, 54.91 ====
$iptloc -t filter -A $chname -s 54.90.0.0/15 -p tcp -j REJECT
# ==== 54.92, 54.93 ====
$iptloc -t filter -A $chname -s 54.92.0.0/15 -p tcp -j REJECT
# ==== 54.94 ====
# ==== 54.95 ====
# ==== 54.144 ====
$iptloc -t filter -A $chname -s 54.144.0.0/16 -p tcp -j REJECT
# ==== 54.145 ====
$iptloc -t filter -A $chname -s 54.145.0.0/16 -p tcp -j REJECT
# ==== 54.146, 54.147 ====
$iptloc -t filter -A $chname -s 54.146.0.0/15 -p tcp -j REJECT
# ==== 54.148, 54.149 ====
$iptloc -t filter -A $chname -s 54.148.0.0/15 -p tcp -j REJECT
# ==== 54.150 ====
# ==== 54.151 ====
$iptloc -t filter -A $chname -s 54.151.0.0/16 -p tcp -j REJECT
# ==== 54.152, 54.153 ====
$iptloc -t filter -A $chname -s 54.152.0.0/15 -p tcp -j REJECT
# ==== 54.154 ====
$iptloc -t filter -A $chname -s 54.154.0.0/16 -p tcp -j REJECT
# ==== 54.155 ====
# ==== 54.156, 54.157, 54.158, 54.159 ====
$iptloc -t filter -A $chname -s 54.156.0.0/14 -p tcp -j REJECT
# ==== 54.160 ====
# ==== 54.161 ====
$iptloc -t filter -A $chname -s 54.161.0.0/16 -p tcp -j REJECT
# ==== 54.162, 54.163 ====
$iptloc -t filter -A $chname -s 54.162.0.0/15 -p tcp -j REJECT
# ==== 54.164, 54.165, 54.166, 54.167 ====
$iptloc -t filter -A $chname -s 54.164.0.0/14 -p tcp -j REJECT
# ==== 54.168 ====
# ==== 54.169 ====
$iptloc -t filter -A $chname -s 54.169.0.0/16 -p tcp -j REJECT
# ==== 54.170 ====
# ==== 54.171 ====
$iptloc -t filter -A $chname -s 54.171.0.0/16 -p tcp -j REJECT
# ==== 54.172 - 54.175 ====
$iptloc -t filter -A $chname -s 54.172.0.0/14 -p tcp -j REJECT
# ==== 54.176 - 54.177 ====
$iptloc -t filter -A $chname -s 54.176.0.0/15 -p tcp -j REJECT
# ==== 54.179
$iptloc -t filter -A $chname -s 54.179.0.0/16 -p tcp -j REJECT
# ==== 54.183 ==
$iptloc -t filter -A $chname -s 54.183.0.0/16 -p tcp -j REJECT
# ==== 54.184, 54.185 ====
$iptloc -t filter -A $chname -s 54.184.0.0/15 -p tcp -j REJECT
# ==== 54.186, 54.187 ====
$iptloc -t filter -A $chname -s 54.186.0.0/15 -p tcp -j REJECT
# ==== 54.188, 54.189, 54.190, 54.191 ====
$iptloc -t filter -A $chname -s 54.188.0.0/14 -p tcp -j REJECT
# ==== 54.192 ====
# ==== 54.193 ====
$iptloc -t filter -A $chname -s 54.193.0.0/16 -p tcp -j REJECT
# ==== 54.194 ====
# ==== 54.195 ====
# ==== 54.196 - 54.197 ====
$iptloc -t filter -A $chname -s 54.196.0.0/15 -p tcp -j REJECT
# ==== 54.198 ====
$iptloc -t filter -A $chname -s 54.198.0.0/16 -p tcp -j REJECT
# ==== 54.200, 54.201 ====
$iptloc -t filter -A $chname -s 54.200.0.0/15 -p tcp -j REJECT
# ==== 54.202, 54.203 ====
$iptloc -t filter -A $chname -s 54.202.0.0/15 -p tcp -j REJECT
# ==== 54.203 ====
# ==== 54.204, 54.205 ====
$iptloc -t filter -A $chname -s 54.204.0.0/15 -p tcp -j REJECT
# ==== 54.208, 54.209, 54.210, 54.211 ...
# ==== 54.212, 54.213, 54.214, 54.215 ====
$iptloc -t filter -A $chname -s 54.208.0.0/13 -p tcp -j REJECT
# ==== 54.216 ====
# ==== 54.217 ====
# ==== 54.218, 54.219 ====
$iptloc -t filter -A $chname -s 54.218.0.0/15 -p tcp -j REJECT
# ==== 54.221 ====
$iptloc -t filter -A $chname -s 54.221.0.0/16 -p tcp -j REJECT
# ==== 54.224, 54.225, 54.226, 54.227 ====
$iptloc -t filter -A $chname -s 54.224.0.0/14 -p tcp -j REJECT
# ==== 54.229 ====
$iptloc -t filter -A $chname -s 54.229.0.0/16 -p tcp -j REJECT
# ==== 54.234, 54.235 ====
$iptloc -t filter -A $chname -s 54.234.0.0/15 -p tcp -j REJECT
# ==== 54.236, 54.237 ====
$iptloc -t filter -A $chname -s 54.236.0.0/15 -p tcp -j REJECT
# ==== 54.240, 54.241, 54.242, 54.243, 54.244, 54.245, 54.246, 54.247,
# 54.248, 54.249, 54.250, 54.251, 54.252, 54.253, 54.254, 54.255 ====
$iptloc -t filter -A $chname -s 54.240.0.0/12 -p tcp -j REJECT
# ==== 63.32, 63.33, 63.34, 63.35
$iptloc -t filter -A $chname -s 63.32.0.0/14 -p tcp -j REJECT
# ==== 67.202.0 - 67.202.63 ====
# $iptloc -t filter -A $chname -s 67.202.0.0/18 -p tcp -j REJECT
# ==== 72.21.192 - 72.21.223 hosting ====
# $iptloc -t filter -A $chname -s 72.21.192.0/19 -p tcp -j REJECT
# ==== 72.44.32 - 72.44.63 ====
# $iptloc -t filter -A $chname -s 72.44.32.0/19 -p tcp -j REJECT
# ==== 75.101.128 - 75.101.255 ====
$iptloc -t filter -A $chname -s 75.101.128.0/17 -p tcp -j REJECT
# ==== 79.125.0 - 79.125.127 ====
# $iptloc -t filter -A $chname -s 79.125.0.0/17 -p tcp -j REJECT
# ==== 100.24 - 100.31
# ==== 100.24, 100.25
$iptloc -t filter -A $chname -s 100.24.0.0/15 -p tcp -j REJECT
# 100.26 - 100.27
$iptloc -t filter -A $chname -s 100.26.0.0/15 -p tcp -j REJECT
# ==== 107.20, 107.21, 107.22, 107.23 ====
$iptloc -t filter -A $chname -s 107.20.0.0/14 -p tcp -j REJECT
# ==== 174.129 ====
$iptloc -t filter -A $chname -s 174.129.0.0/16 -p tcp -j REJECT
# ==== 175.41.128 - 175.41.255 ====
# $iptloc -t filter -A $chname -s 175.41.128.0/17 -p tcp -j REJECT
# ==== 184.72, 184.73 ====
$iptloc -t filter -A $chname -s 184.72.0.0/15 -p tcp -j REJECT
# ==== 204.236.128 - 204.236.255 ====
$iptloc -t filter -A $chname -s 204.236.128.0/17 -p tcp -j REJECT
# ==== 216.182.224 - 216.182.231 ====
$iptloc -t filter -A $chname -s 216.182.224.0/21 -p tcp -j REJECT
# =================== AMAZON RULES END =========================ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
When you say the honey pot didn't work, do you mean the hidden form fields were left blank? I have been surprised how well that has worked for my own sites. Remember, you don't have to hide a field with <input name="test" type="hidden">. You can hide it with javascript and/or css. If the field has data, don't process the form serverside.
The next step I would take is the math problem that gr8gonzo detailed. I have had good success doing something like that myself and then no need for recaptcha.
The next step I would take is the math problem that gr8gonzo detailed. I have had good success doing something like that myself and then no need for recaptcha.
I'll add one more note that I should have explained - in my sample code, I had a sleep(1) to basically delay the response to the request. Any amount of sleep() will incur a small risk, and the higher the number, the bigger the risk.
Let's say your web server supports 100 concurrent connections. While a PHP script is running, it is taking up one of those connections. The sleep() is a delay within the PHP script, so it intentionally makes the PHP script run longer. This -can- be good for the form token methodology where a failure is detected because it's artificially slowing down the spam submissions. However, if the client is simply spamming POSTs without waiting for a response, or is trying to perform a denial-of-service attack, then this delay makes it easier because the web server is holding onto the connection for a longer period of time instead of freeing it up quickly.
So sometimes it can be a good thing to have a mechanism to detect mass submissions from the same IP in a very short period of time and then have a process that records that IP to a file. A separate service with root / admin privileges could see that file and add it to the firewall so that it is blocked before it ever gets to the web server.
A more sophisticated DDOS attack would simply spoof IP addresses and not care about the responses, but that's a separate issue and it's why expensive security hardware devices / firewalls exist.
Let's say your web server supports 100 concurrent connections. While a PHP script is running, it is taking up one of those connections. The sleep() is a delay within the PHP script, so it intentionally makes the PHP script run longer. This -can- be good for the form token methodology where a failure is detected because it's artificially slowing down the spam submissions. However, if the client is simply spamming POSTs without waiting for a response, or is trying to perform a denial-of-service attack, then this delay makes it easier because the web server is holding onto the connection for a longer period of time instead of freeing it up quickly.
So sometimes it can be a good thing to have a mechanism to detect mass submissions from the same IP in a very short period of time and then have a process that records that IP to a file. A separate service with root / admin privileges could see that file and add it to the firewall so that it is blocked before it ever gets to the web server.
A more sophisticated DDOS attack would simply spoof IP addresses and not care about the responses, but that's a separate issue and it's why expensive security hardware devices / firewalls exist.
I am on a mobile phone so i do not have the tools to play around much but it seems your validation is javascript based rather than server side. The bot does not care about client side restrictions.
And additionally, you do need a way to limit bots. Recaptcha is one way which i dislike quite a lot, but there are many other ways to validatd users including asking for simple mathematical operation results or whatever questions a human will answer much more easily than a bot. Or a js based challenge response totally transparent to the user.
And additionally, you do need a way to limit bots. Recaptcha is one way which i dislike quite a lot, but there are many other ways to validatd users including asking for simple mathematical operation results or whatever questions a human will answer much more easily than a bot. Or a js based challenge response totally transparent to the user.
ASKER
Thanks for all of the advice. I took Dr. Klahn advice on changing the URL. Right now I am looking at doing a reCAPTCHA or implementing gr8gonzo math problem.
@gr : sorry for the rephrase. i skipped over quite a few posts when initially answering.
for non targetted attacks, a very simple way is to generate a token in the form and check the token is sent back. the token should change quite often and be valid for a period of time. a simple/messy operation involving the current timestamp comes to mind. use both a minimum and a maximum time frame. bots tend to work fast so they will usually complete the form in less than a second which no human can do.
most bots handle session cookies, but setting one in the form and checking it might help.
smarter bots will be able to download the form but probably not run javascript. a simple challenge with a piece of js adding the response transparently to the POST allows to check that the remote user uses an actual browser while not bothering the users too much.
more complex variants of the above using for example a stored var in the location of an invisible frame are still currently enough to kill the smartest bots around.
example simplistic implementations can be send both the timestamp and the md5 of the timestamp concatenated with a secret string and the remote IP. make sure that is posted back to the server. use js so it is only posted if js works. check the timestamp is in a reasonable time frame. check the md5 validates that timestamp. allow the email. irl, this is good enough to fool the current random crawlers.
for non targetted attacks, a very simple way is to generate a token in the form and check the token is sent back. the token should change quite often and be valid for a period of time. a simple/messy operation involving the current timestamp comes to mind. use both a minimum and a maximum time frame. bots tend to work fast so they will usually complete the form in less than a second which no human can do.
most bots handle session cookies, but setting one in the form and checking it might help.
smarter bots will be able to download the form but probably not run javascript. a simple challenge with a piece of js adding the response transparently to the POST allows to check that the remote user uses an actual browser while not bothering the users too much.
more complex variants of the above using for example a stored var in the location of an invisible frame are still currently enough to kill the smartest bots around.
example simplistic implementations can be send both the timestamp and the md5 of the timestamp concatenated with a secret string and the remote IP. make sure that is posted back to the server. use js so it is only posted if js works. check the timestamp is in a reasonable time frame. check the md5 validates that timestamp. allow the email. irl, this is good enough to fool the current random crawlers.
Tip: You will never be smarter than all Bots/Hackers. Using ReCAPTCHA v3 is the simple/cheap solutions. There are many other approaches. They generally require much time/budget to implement + keep maintained to deal with new attacks approaches.