Well that was funny
I'm no longer forwarding cookie thieves to Natalie's site. I had been fussing around trying to make IPTables block all the botnet machines, and when that didn't work, I was just using deny rules in Apache, which sucked, because my include file of blocked hosts was 100,000 or so. That's in addition to the default "Block all of China, India, Eastern Europe" rules I apply. It also sucked because I'm still serving pages and so there were tons of ESTABLISHED, FIN_WAIT1/2, etc. connections, most of which were holding open Apache processes, which was crushing my machine.
The reason IPTables wasn't working turned out to be because of the VPS solution used by 1and1. There is a hard limit of 400 rules on the host, and I can't work around that, so I can't use IPTables with huge blacklists, at least, not that I've figured out.
What I'm doing now though is to use the LimitExcept directive to only allow GET requests in the virtual host which does the rewrites for nataliecurtiss.com. So now those fuckers are all just getting 403's or, in some cases, 500's (don't know why that is).
So yeah that was fun. A case has been opened with SquareSpace, since this attack traffic was all really directed at them. And the only logical thing I can think of is that the attackers are trying to guess session cookies of site admins who aren't explicitly logged out of their site admin tools. This would let the attackers exploit any XSS inherent in code generated by SquareSpace, or use the targeted site to infect more end user machines for this botnet.
Still, it's an awful lot of trouble to go to just to get your hands on Natalie's what, 12 legitimate users per month?
Now I just have a zillion connections in TIME_WAIT, but at least my site seems quick, all my services seem to be working at full speed ahead, and I'm going to stop thinking about this shit for a while. I'm not going to bother figuring out why I can't set tcp_tw_reuse to clean up all those TIME_WAITs.
Update:
The 500's are because I didn't set an auth-type for the user to be able to POST. Well, fuck 'em, they get 500's, since I never want anyone to ever do anything but GET, everything else can DIAF.
- xrayspx's blog
- Log in to post comments
- 3433 reads