PlanetZ Forums Update & Bot trafffic

[nebelfuerst]

No matter if it's someone's herd of bots or even payed accounts, attacks like these also bring some effort for the attacker. So there usually is some goal, to get some payoff. As there's no shop with wallets, no data for identity fraud, I don't see a monetary motivation. Even if someone hates all scopers, it's hard to believe he keeps up attacks over such a long time.
Many years ago, some people scanned IPs "close" to an interesting site (e.g. webshops, pr0n) , to find a way to access its data by some backdoor.
Is it possible, that your site is just part of an "interesting IP-range" ?
Do the "knocked ports" show a pattern, which adresses a certain type of host ?

[valis]

There are only 4 ip addresses for all 40 accounts. Its domain specific to the point where it’s only the forums subdomain, not even the root domain

I also still host some very old gaming forums that have been around just as long if not longer, they do not get any of this traffic. Same forum software so it’s not people trying to hack the forum because of the type of forum etc.

Believe me, it’s been going on long enough that I’ve certainly come to some conclusions and it’s not random.

[valis]

Also, you can check the number of people currently listed online, and look at the guests. Some portion of the attacks are establishing a full https connection (like .01% or less) and you'll see anywhere from 400-1200 listed as online. I reset the logs so it doesn't show in the graph for this year (posted earlier) but in Jan/Feb the previous round of attacks was reaching 6000+ bots and so you'll see "Most users ever online was 9652 on 01 Feb 2025 16:05". That's when I implemented cloudflare free.

Some are simply doorknocks, some are port tests, some test normal login urls. And almost all of them come from the same ip ranges in the same datacenters (the pwned XP/Win98 machines in Eastern EU, Russia, Africa etc are always there and easily spotted in logs due to the randomness they generate, and never bog the server down because they're just doing their little things).

Also, thanks to two helpful donations we have cloudflare's higher tier incoming, I'll handle that over the weekend. But you should already see the load lessened, and that took banning ranges like (feel free to look up the hosting facilities):

60.28.204.0/24
(60.28.204.0 - 60.28.204.255)

112.0.0.0/10
(112.0.0.0 - 112.63.255.255)

42.80.0.0/15
(42.80.0.0 - 42.81.255.255)

60.28.204.0/24
(60.28.204.0 - 60.28.204.255)

154.8.128.0/17
(154.8.128.0 - 154.8.255.255)

And many many more. And yet that still causes overages on the hosting slot for all of my domains, as mentioned. So I need to attend to that with the paid cloudflare to keep hosting costs in check for bandwidth, even though the forums are already more responsive with those firewall blocks.

In response to your questions, we have effectively documented what mitigating a planned attack on a virtually hosted domain (on my VPS) looks like in the current era. Oh, and I never posted about this at length before because it's probable that the attacker can read this.

[valis]

Also note we have entered a new era for attacks: https://www.anthropic.com/news/disrupting-AI-espionage

[Gordon Gekko]

Ah, i smell a bit of marketing in that link
But yeah it becomes easier
May the force be with you valis

[valis]

And also with you

Also, as I’m familiar with the topic and the link, the issue was that people who are now vibecoding are vibecoding exploits and automating bot attacks. Which means things are going to continue to scale on the cyber security front as AI accelerates everything.

On the flipside, I already experimented with converting the database here to several formats, relevant to machine learning, including a vector database format that worked very well to preserve the threaded nature of the conversation while surfacing correct answers.

[valis]

While traffic is overall reduces, bandwidth usage is still a bit high. However the connections that were not being released have largely been solved (for the moment). Please let me know if the board is unresponsive for you, and I'll implement pre-scanning before the forums are accessed. Right now I'm not doing that because I find it an annoyance.

[valis]

Cloudflare outage this morning, I'm glad I didn't do full DNS replacement and use their bot-scanning frontend. I am using paid features but we would have been down this morning anyway due to their outage. Silly internet....

[garyb]

[valis]

https://x.com/zerohedge/status/1991172144529653956?s=12

[valis]

Still occasional blips of nonresponsiveness. Feedback from you guys on forum stability?

Waiting to see if I should still move to active protection, but you'll see that cloudflare page that checks you when you haven't been here in a while.

[valis]

Most likely moving to full scanning prior to forums entry, contacting provider now (I didn't enable this even with the paid platform features because it requires help from hosting support and they are...challenging to communicate with after 3 buyouts). Playing wackamole has helped cut down on a lot of the IP addresses inbound, but the new ones that are being spun up are using more bandwidth per 'attempt', as you can see in the bargraph traffic spiked considerably this past week.

Screenshot 2025-11-25 180318.png (5.51 KiB) Viewed 830 times

Screenshot 2025-11-25 180343.png (28.08 KiB) Viewed 830 times

Will report back when we have configured everything properly. Please let me know of any service issues.

[garyb]

wow, why is China such a hater/lover?

[nebelfuerst]

China is addicted to musical high tech and that's still us !

Are there "normal" users from China ? If not, why not block china as a whole ?

[valis]

There isn't a single class A range that I can block that will stop this. That's why I have to take out class C's, and then Class B's when enough aggregate in the C range. Consider also that this has been going on since 2014.

Believe me, i wish I knew 'why', although I have said things about China in the comfort of my own home--it would be a bit of a stretch to think that's the reason.

[stillpractising]

Why China? According to a 2023 Reuters article, FBI Director Chris Wray told a conference, "China already has a bigger hacking program than every other major nation combined..." So a possible answer is the hackers are looking for personal and technical info. Even if they obtain little bits (pun intended) of info here, when combined with the little bits of info which can be obtained from other forums, hackers may be able to piece together IDs, passwords, personal info, etc., which can be used to gain access at private, commercial and government websites with a greater trove of personal and technical info for, most importantly, financial gain.

[valis]

It could be, but it's just bandwidth abuse, and it's not targeting the primary domain (scopeusers.com), nor the host server (which houses many domains). Just forums.scopeusers.com on https, and in a way that causes the forum to run magnitudes slower than it should when not mitigated.