up arrow Your Joe Dog Is Under Attack

Wanted: Kevin MitnickThis site has been under attack for several weeks now. The attacker is using an unthrottled brute force dictionary attack. He seems to have an unlimited supply of IP addresses. After examining some of the source addresses, I’ve concluded that we’re on the wrong end of a bot net.

I’ve been harvesting IP addresses and blocking them as fast as I can. I’ve also added Rewrite rules to deny these attempts based on his request signature. Those rules reduce overhead since his requests won’t generate database transactions. Yet no matter how many timeouts he gets and no matter how many Access Denied responses he endures, the attacks persist.

Because this dictionary attack is unthrottled, the affect is, at times, not unlike a DOS attack. Your Joe Dog is a public service with shallow pockets. We simply don’t have the resources to eat these attacks and provide you with snappy service. Bare with us as we deal with this asshole.

UPDATE: While it provides additional inconvenience, I applied an access control to the page he’s attacking. You can protect a single file inside a FilesMatch block like this:

 <FilesMatch "wp-login.php">
   AuthType Basic
   AuthName "Kiss my fscking ass"
   AuthUserFile /path/to/my/file
   Require user franklindelanoroosevelt
 </FilesMatch>

Obviously, some of that information was obfuscated but “Kiss my fscking ass” really is the realm I’m using.

The benefit to this approach is two-fold: 1. Apache doesn’t expend much effort to say, “401 gimme a password!” 2. If this layer is cracked, he still has to bust the next one before I reset the password on the first one….

 

Posted in Security, Wordpress | 1 Comment

One Response to “Your Joe Dog Is Under Attack”

  1. Ben L says:

    I hope the author of this botnet attack trips on some cat5 and spills heavily sugared/creamed coffee into his keyboard.

    Thanks for siege and the interesting blog posts.

Leave a Reply




Recent Comments

  • Jeff Fulmer: Ten isn’t a large number of concurrent users so you’re probably not opening more connections...
  • Snooops: Hey Guys, im running siege 3.0.9 with: siege -c10 -r once -f urls2.txt -b i get a lot of: [alert] socket:...
  • Oleg: Hm, i have the same problem as “Gokul Muralidharan says: July 27, 2012 at 1:00 pm” He says “I...
  • Jeff: Oleg, Because you told it to run just one repetition: -r1 I think what you’re looking for is...
  • Oleg: I think, i have found one bug. The command siege -d10 -r1 -c25 -f url.txt hits ONLY FIRST url. Why?