No matter if it's someone's herd of bots or even payed accounts, attacks like these also bring some effort for the attacker. So there usually is some goal, to get some payoff. As there's no shop with wallets, no data for identity fraud, I don't see a monetary motivation. Even if someone hates all scopers, it's hard to believe he keeps up attacks over such a long time.
Many years ago, some people scanned IPs "close" to an interesting site (e.g. webshops, pr0n) , to find a way to access its data by some backdoor.
Is it possible, that your site is just part of an "interesting IP-range" ?
Do the "knocked ports" show a pattern, which adresses a certain type of host ?
PlanetZ Forums Update & Bot trafffic
-
nebelfuerst
- Posts: 607
- Joined: Tue Jun 23, 2009 10:55 am
Re: PlanetZ Forums Update & Bot trafffic
\\\ *** l 0 v e | X I T E *** ///
Re: PlanetZ Forums Update & Bot trafffic
There are only 4 ip addresses for all 40 accounts. Its domain specific to the point where it’s only the forums subdomain, not even the root domain
I also still host some very old gaming forums that have been around just as long if not longer, they do not get any of this traffic. Same forum software so it’s not people trying to hack the forum because of the type of forum etc.
Believe me, it’s been going on long enough that I’ve certainly come to some conclusions and it’s not random.
I also still host some very old gaming forums that have been around just as long if not longer, they do not get any of this traffic. Same forum software so it’s not people trying to hack the forum because of the type of forum etc.
Believe me, it’s been going on long enough that I’ve certainly come to some conclusions and it’s not random.
Re: PlanetZ Forums Update & Bot trafffic
Also, you can check the number of people currently listed online, and look at the guests. Some portion of the attacks are establishing a full https connection (like .01% or less) and you'll see anywhere from 400-1200 listed as online. I reset the logs so it doesn't show in the graph for this year (posted earlier) but in Jan/Feb the previous round of attacks was reaching 6000+ bots and so you'll see "Most users ever online was 9652 on 01 Feb 2025 16:05". That's when I implemented cloudflare free.
Some are simply doorknocks, some are port tests, some test normal login urls. And almost all of them come from the same ip ranges in the same datacenters (the pwned XP/Win98 machines in Eastern EU, Russia, Africa etc are always there and easily spotted in logs due to the randomness they generate, and never bog the server down because they're just doing their little things).
Also, thanks to two helpful donations we have cloudflare's higher tier incoming, I'll handle that over the weekend. But you should already see the load lessened, and that took banning ranges like (feel free to look up the hosting facilities):
60.28.204.0/24
(60.28.204.0 - 60.28.204.255)
112.0.0.0/10
(112.0.0.0 - 112.63.255.255)
42.80.0.0/15
(42.80.0.0 - 42.81.255.255)
60.28.204.0/24
(60.28.204.0 - 60.28.204.255)
154.8.128.0/17
(154.8.128.0 - 154.8.255.255)
And many many more. And yet that still causes overages on the hosting slot for all of my domains, as mentioned. So I need to attend to that with the paid cloudflare to keep hosting costs in check for bandwidth, even though the forums are already more responsive with those firewall blocks. In response to your questions, we have effectively documented what mitigating a planned attack on a virtually hosted domain (on my VPS) looks like in the current era.
Oh, I never posted about this at length before because it's probable that the attacker can read this.
Some are simply doorknocks, some are port tests, some test normal login urls. And almost all of them come from the same ip ranges in the same datacenters (the pwned XP/Win98 machines in Eastern EU, Russia, Africa etc are always there and easily spotted in logs due to the randomness they generate, and never bog the server down because they're just doing their little things).
Also, thanks to two helpful donations we have cloudflare's higher tier incoming, I'll handle that over the weekend. But you should already see the load lessened, and that took banning ranges like (feel free to look up the hosting facilities):
60.28.204.0/24
(60.28.204.0 - 60.28.204.255)
112.0.0.0/10
(112.0.0.0 - 112.63.255.255)
42.80.0.0/15
(42.80.0.0 - 42.81.255.255)
60.28.204.0/24
(60.28.204.0 - 60.28.204.255)
154.8.128.0/17
(154.8.128.0 - 154.8.255.255)
And many many more. And yet that still causes overages on the hosting slot for all of my domains, as mentioned. So I need to attend to that with the paid cloudflare to keep hosting costs in check for bandwidth, even though the forums are already more responsive with those firewall blocks. In response to your questions, we have effectively documented what mitigating a planned attack on a virtually hosted domain (on my VPS) looks like in the current era.
Oh, I never posted about this at length before because it's probable that the attacker can read this.