| Wednesday October 22nd 2014

Feedburner

Subscribe by email:

We promise not to spam/sell you.


Search Amazon deals:

HOWTO: Block Bots and Cheaters From Your Website


nano_iphone.jpg

So there was an online poll set up on a website I help admin and noticed one contestant’s votes going up by 300 votes overnight. In comparison, other contestants would go up 100 votes in a whole day. This person was obviously cheating by using proxys and/or intercepting/modifying the HTTP headers, as the IP addresses in the IP log were all different and reversed back to Vietnam, Brazil, and China. Except, all the votes came from the same browser and OS. sneaky…

Fri, 29 Feb 2008 21:00:53 -0500 - IP: 66.225.230.183
Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Referrer: /
URL: /index.php
Fri, 29 Feb 2008 21:00:56 -0500 - IP: 66.225.230.183
Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Referrer: http://missronpaul.com/index.php
URL: /index.php
Fri, 29 Feb 2008 21:01:37 -0500 - IP: 132.160.49.90
Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Referrer: None
URL: /index.php
Fri, 29 Feb 2008 21:02:14 -0500 - IP: 75.126.219.188
Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Referrer: None
URL: /index.php
Fri, 29 Feb 2008 21:02:17 -0500 - IP: 75.126.219.188
Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Referrer: None
URL: /index.php

What’s a bored Admin to do on a Friday night in the final night of the contest? Fight back… well the best I could since there is no 100% way to block these types of “attacks.”

The easiest way to block unwanted visitors is to simply block them from viewing the site via a .htaccess file. Unfortunately this “script kiddie” was changing his IP via the Tor Network or another proxy type third party… so I checked the logs and reviewed his User Agent and blocked his specific browser, which thankfully was an older version of Firefox. I edited my .htaccess as follows:

SetEnvIfNoCase User-Agent "2.0.0.6" bad_bot
order allow,deny
allow from all
deny from env=bad_bot

Once the script kiddie figured out that I was blocking his Firefox 2.0.0.6 browser rather than his IP(s) he switched to IE7 browser…

Fri, 29 Feb 2008 21:09:08 -0500 - IP: 132.160.49.90
Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Referrer: None
URL: /index.php
Fri, 29 Feb 2008 21:09:15 -0500 - IP: 132.160.49.90
Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Referrer: /
URL: /?results
Fri, 29 Feb 2008 21:10:16 -0500 - IP: 222.240.212.3
Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Referrer: None
URL: /index.php
Fri, 29 Feb 2008 21:10:47 -0500 - IP: 222.240.212.3
Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Referrer: /
URL: /index.php
Fri, 29 Feb 2008 21:10:56 -0500 - IP: 222.240.212.3
Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Referrer: /
URL: /index.php
Fri, 29 Feb 2008 21:11:13 -0500 - IP: 217.172.56.49
Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Referrer: None
URL: /index.php

Well shit, I cant block IE7 users from viewing the site. So after reviewing other visitor’s info the only unique “tag” in his User Agent was “InfoPath.1″ so I blocked that too. I tested on a spare machine and my IE6 and IE7 could still access the site. Now my .htaccess looked like as follows:

SetEnvIfNoCase User-Agent "2.0.0.6" bad_bot
SetEnvIfNoCase User-Agent "InfoPath.1" bad_bot
order allow,deny
allow from all
deny from env=bad_bot

So feeling confident that I had solved the problem I go and grab something to eat, catch a little of the hockey game, and a little later check the logs just for fun. This is what I see:

Fri, 29 Feb 2008 22:34:36 -0500 - IP: 72.167.96.108
Agent:
Referrer: None
URL: /index.php
Fri, 29 Feb 2008 22:34:37 -0500 - IP: 72.167.96.108
Agent:
Referrer: None
URL: /index.php
Fri, 29 Feb 2008 22:34:37 -0500 - IP: 72.167.96.108
Agent:
Referrer: None
URL: /index.php
Fri, 29 Feb 2008 22:34:38 -0500 - IP: 72.167.96.108
Agent:
Referrer: None
URL: /index.php
Fri, 29 Feb 2008 22:34:38 -0500 - IP: 72.167.96.108
Agent:
Referrer: None
URL: /index.php
Fri, 29 Feb 2008 22:34:39 -0500 - IP: 72.167.96.108
Agent:
Referrer: None
URL: /index.php

My little gumdrop was smart enough to just eliminate his User Agent completely. Hmmm, clever, but all the requests were from the same IP address. Screw it, I’ll block blank UserAgents (“^$” is a string that means blank), generic proxies, and his unique IP too. For wasting my time I figured I’d redirect him to Spam Poison so that he would know I would [try to] be one step ahead. I couldn’t forward him to a goatse.cx site since some innocent users might have blank user agents or be using Firefox 2.0.0.6. I also took precautionary steps to protect my .htaccess file and DoS attacks:

SetEnvIfNoCase User-Agent "2.0.0.6" bad_bot
SetEnvIfNoCase User-Agent "InfoPath.1" bad_bot
SetEnvIfNoCase User-Agent "^$" bad_bot
SetEnvIfNoCase User-Agent "proxy" bad_bot
order allow,deny
allow from all
deny from env=bad_bot 72.167.96.108
Options -Indexes
LimitRequestBody 10240000
ServerSignature Off
ErrorDocument 403 http://english-122784991673.spampoison.com
<files>
order allow,deny
deny from all
</files>

Bonus: The top 10 spam bot user agents you MUST block.
Bonus: A very long list of user agents to block from 0x000000.com

Related Posts: On this day...

Leave a Reply

You must be logged in to post a comment.