Hello community,
my logs tell me that since 21.5.2010, my CAPTCHA module denies 4000 comment posting attempts per day, roughly one attempt every 20 seconds, because the answer to the challenge is empty. These attempts come from some 600 IP addresses, which I believe to be part of a botnet.
My site is just my personal drupal-playground, nothing of general interest: Before, I had something like 5 comment attempts per month...
This is not something that makes me lose sleep, legitimate comments are so rare on my site that I have just disabled comments altogether.
Without comments active, these bots no longer clutter up my watchdog table, just the server log...
What would you do in such a situation?
BTW: I looked at the server-log a litte more closely and I'm pretty sure the system info and user-agents are fake. There are all kinds of platforms attacking, Nokia and WinCE cellphones as well all Playstation and Wii, Windows, Linux and OS X, browsers include old Netscapes, Safari, Camino, Opera, Firefox, Epiphany, Minimo and lots of others. The statistical distribution is too even for those OS and Browsers not to be fake. And, just for fun, I also checked the geographical distribution of the IPs. Guess what: They're from all over the world, ranging from Sweden to Taiwan, Russia, Brazil, Germany, and lots of others. Nevertheless, they are not evenly distributed, Comcast and Verizon stand out ;-)
Comments
You could
set up a small javacript that sets a variable...
if a robot visits the javascript won't be triggered...
you can then test for the variable & if not set then don't display the comment form...
think that should work...
How would I implement such a
How would I implement such a script? It would be a really good idea to have that in drupal by default, wouldn't it?
Nevertheless, as I don't care about not having comments enabled I will leave them disabled for a week or two. What I initially forgot:
Just turning off comments does not quite solve the problem, as the watchdog table gets cluttered up with page not found errors.
Well, I now give back HTTP status code 204 for all URIs containing the string "comment".
I thought about a temporary redirection with 302, but where to redirect to? I thought about google.com, but 204 just seems more appropriate to me...
Any other ideas or
Any other ideas or comments?
It seems to me that this is a high volme attack. Do other drupal users expirience similar comment-abuse-attempt numbers?
I run a fairly popular site
I run a fairly popular site and it is *contantly* under attack by a similar botnet.
We use reCaptcha so none of these attempts are succeeding. It's just annoying.
I wrote a script that scans my logs for botnet IPs. Since seem to be guessing the pattern for comment URLs, it's easy to ID them by the 404 requests for comment pages that don't exist. It blocks about 100 new IPs a day. It's not really that big a deal, it's just annoying.
Do you have access to the server or is it a shared account? If it's your server, you may be interested in some of the cool things you can do with mod_security.