A month ago I noticed hike in hits on my forum, from 1500-2000 a day to 8000-10000+. Without any visible change in hosts, registrations or activity on the forum. After looking through the counter stats, and raw access logs, it looks like one single IP keeps knocking into the forum's root -
http://forum.xxxxxxx.org
here's a typical raw access log line:
Code:
85.xxx.xxx.xxx - - [12/Jan/2010:16:23:30 -0500] "GET /?sid=580eccd99d3830f0b109d1d797b4742d HTTP/1.1" 200 26067 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.2.15 Version/10.10"
I pulled all lines for this IP from raw access log to see what resources are being accessed (this is for half day log):
Code:
4332 /
4 /viewforum.php
4 /favicon.ico
4 /images/rss-feed-10x10.png
4 /viewtopic.php
3 /templates/NoseBleed/NoseBleed.css
3 /templates/NoseBleed/NoseBleed.js
2 /templates/NoseBleed/translit2.js
2 /templates/NoseBleed/sel2reply.js
2 /templates/NoseBleed/show_layer.js
1 /viewonline.php
1 /login.php
1 /index.php
Thus, single "user" (script i assume) just keeps accessing the root, where is just list of forum sections, no other content.
As I understad it's too few hits for a typical DDoS attack, even though at some point phpBB2 (updated to the latest version) was giving up with error about too many DB connections - I saw it once myself, even though noone complaned yet. they're no accessing login.php, so it's not bruteforce password trys. and viewtopic.php isn't accessed, so it's not content stealing.
so what's going on? what they could possibly want, and how would I fight it?
I did blocked the IP once, but the next day it resumed with different IP from different country. Though, I blocked it again last night, and it seems to stop for now.
