Sessions table crashed, forum was offline (Botnet attack)

jakeheke · Posted: 07 Jan 2024, 08:16

Julien, for someone who isn't the most computer illiterate what are these bots doing, harvesting information?

admin · Posted: 07 Jan 2024, 09:10

jakeheke wrote:

what are these bots doing, harvesting information?

A.I. such as ChatGPT need lots of inputs to train the models.

Harvesting blindly tons of websites if one way to cheaply build a base.

They absolutely don't care about copyright or intellectual property. The mentality is "if it's on Internet, it's free (to use)".

Cloud business model are based on traditional usage where you store your data with them and access when needed.
Uploading data to the cloud is free but they will charge you for downloading.

Problem with A.I. in the cloud is that they siphon huge amounts of data to the cloud (free), crunch their models for long periods of times (paying for CPU) but then the output is tiny in comparison.

Clouds might have to reconsider their business cases, they are basically subsiding A.I. companies right now.

Julien

admin · Posted: 06 Feb 2024, 16:34

I think Google is realizing they are late in the A.I. game... and they released the Kraken (i.e. = Googlebot slurping websites).

They were more than 50% of the bandwidth in the past few days and are not honoring the crawl delays in the robots.txt file.

So... I'm blocking Google for 1 month. Not good for search rankings but it's slowing down the website response time but a factor of 50. They are just parsing all the user collections with all the possible filters and sorting.

Utterly useless!

Julien

admin · Posted: 08 Apr 2025, 14:56

Bing and Google back again, eating up all CPU resources.

Banned for 1 month:

40.77.167.0/24 (Bing)
66.249.68.0/24 (Google)
66.249.76.0/24 (Google)

It will de-index many URLs and disappear from some searches but at least the website is usable.

Right now, also blocking 14,532 IPs from AI crawlers, and "only" 5,974 IPs from compromised routers/IoT.

Julien

admin · Posted: 15 May 2025, 08:49

Had to block permanently:

GoogleBot
BingBot
AliCloud SG
AliCloud HK
AliCloud USA
Various IA startup company crawlers

IA companies are truly the scum of internet.

It seems to be something similar to the Reddit effect.
Old forums have value because they span information over many years and are 100% guaranteed human contents.

Now IA bots are mostly hammering the forum and disregarding the main website.

Costing you a fortune in management time/resources... and then selling you your data back.

No thank you.

Julien

takeshi666 · Posted: 15 May 2025, 14:08

admin wrote:

Old forums have value because they span information over many years and are 100% guaranteed human contents.

Now IA bots are mostly hammering the forum and disregarding the main website.

That reminds me of the weirdest thing I saw a couple of years back. I can't even remember how I found it, I might've been trying to find an old post of my own in one of the many sites that archive 4chan threads, but one I came across was a "message board" that was made up entirely of 4chan posts, except they had fake accounts and usernames assigned to them so the posts were technically real, but the users were fake.

I can think of a few reasons why someone would want to create something like that, but it's certainly a strange way of going about it.

admin · Posted: 29 May 2025, 06:17

and... the botnet flooding is back.. but this time on the forum, seemingly trying to hijack a user session to potentially post spam links

All coming all as "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36".

Blocking them all now as they it the website, 18,000+ IPs so far in 5 minutes.

Julien

admin · Posted: 29 May 2025, 09:04

Reaching 100,000 IPs soon.

The geographical sources have a different profile from the previous botnet.

We could possibly go well above the ~380K IP addresses blocked from the previous DDOS.

Julien

admin · Posted: 29 May 2025, 14:20

225K IPs, and absolutely not slowing down.

Julien

admin · Posted: 30 May 2025, 01:26

Flooding stopped as suddenly as it started.

~320K IPs this time.

Julien

admin · Posted: 31 May 2025, 12:42

What a month!

(4 days of the worse stats were lost because the amount of logs to process was too massive)

Attachment:

2025-05-forum.png [ 19.52 KiB | Viewed 1090 times ]

May 9~15th were the hungry IA crawlers pulling way too much data from the forum and downloading all the PDFs on manuals.lddb.com too many times.

May 18~30th was the 2nd wave of botnet flooding.

May 29~30th was ~10K IPs all from Huawei cloud services hammering the database (checking ALL IMDb numbers sequentially).

Currently blocking 367,386 IP addresses, the normal level is usually around 15,000+.

Julien

admin · Posted: 02 Jun 2025, 15:12

admin wrote:

May 29~30th was ~10K IPs all from Huawei cloud services hammering the database (checking ALL IMDb numbers sequentially)

They came back after a 48h ban so...

Goodbye permanently to ALL Huawei-cloud subnets around the world!

Code: Select all

Importing fresh SUBNETS list
..........................................................................................................................
..........................................................................................................................
..........................................................................................................................
..........................................................................................................................
...........
Added 498 subnets
---
IPs blocked = 1,099,264

Good riddance.

Julien

admin · Posted: 03 Jun 2025, 12:07

admin wrote:

Goodbye permanently to ALL Huawei-cloud subnets around the world!

I spoke too fast, they were just part of a bigger (but different) botnet hitting every single page of the sitemap of the site related to IMDb entries.

They are not an official search engine and masquerade behind single IPs use from all over the world, with randomized User-Agent.

18,000 IPs so far, and they keep coming fast.

Julien

admin · Posted: 07 Jun 2025, 05:12

This last flooding stopped around 25K IPs.

But there is a new one that started yesterday, already 200K IP blocked.

This is is coming from all over the world. But there is a common element... they're coming from mobile phones via the Chinese government-controlled WeChat app.

Attachment:

Last500.png [ 157.46 KiB | Viewed 139 times ]

And since I'm already blocking all China IPs (about 350M), it means these are WeChat apps installed on phones outside of China.

I'm blocking each IP and serving a "403 Forbidden access" but they don't seem to care.
More coming right after.

To give you an idea, June 1st~5th was pretty normal for traffic on the forum and then...

6/1 - 6,272
6/2 - 5,305
6/3 - 4,161
6/4 - 4,406
6/5 - 5,175
6/6 - 345,813
6/7 - 216,914 (so far)

Julien

admin · Posted: 08 Jun 2025, 04:24

And the botnet flood stopped as mysteriously as it started.

Only a few hits now, after blocking 568,000+ IPs.

6/1 - 6,272
6/2 - 5,305
6/3 - 4,161
6/4 - 4,406
6/5 - 5,175
6/6 - 345,813
6/7 - 483,197
6/8 - 23,908 (so far)

Julien

admin · Posted: 11 Jun 2025, 05:47

... and they came back.

Over a million IP addresses blocked right now.
The ban lasts 30 days.

If I blocked you by mistake... please accept my apologize!

Julien

tony426 · Posted: 11 Jun 2025, 12:35

admin wrote:

If I blocked you by mistake... please accept my apologize!

Julien

It seems like many users have been blocked in error, judging by comments I'm reading on Facebook and elsewhere. Since last Friday, I'm unable to access the site using my home internet connection. Using mobile data is fine though, so I guess my home IP is blocked.

admin · Posted: 11 Jun 2025, 12:36

I'll post an update on Facebook, thank you for the info.

Julien

admin · Posted: 11 Jun 2025, 12:48

Posting here as well:

Quote:

LDDb.com (both site and forum) have been under heavy traffic flooding from at least 3 separate botnets.

So far I had to block more than 1 million IP addresses to give the server some room to breath and respond within acceptable delays.

HOWEVER I might have blocked your IP address while frantically building walls on LDDb server.

If this happens there are ways to check:

- Is LDDb.com not responding from one IP (home internet) but responds from your phone 4G/5G browser?

If yes, you might have been blocked by mistake.

1/ Go to https://whatismyipaddress.com/ from the internet access being blocked. Let's say it's 10.20.30.40
2/ From a working internet access, you can check the IP status by adding this IP address to the block map URL lddb.banhammer.com => https://banhammer.lddb.com/10.20.30.40

It will either show "NOT blocked" or "blocked because of..."

Contact me over Facebook or on admin@lddb.com to ask me to unblock your IP address.

SORRY about these troubled times!

BANs usually expire after 30 days but you probably want your access restored before that.

Julien

admin · Posted: 12 Jun 2025, 12:14

I grew tired of the connection flood...

:crazy:

=>

=>

Inspired by a tech blog post facing the same issues... I put a bobby-trap for the botnet who came back again... it's nasty and should have compromised hosts have their memory quickly run out and/or crash.

No normal user should suffer the wrath of the counter-measure, it's very targeted.

Let the Hunter Games... begin!

Julien

Sessions table crashed, forum was offline (Botnet attack)

Who is online