Topic: Bandwidth being raped...

[Arbok]

*sigh* The past few days have been exhausting, I'm afraid. It would seem that there have been malicious attempts done to take down our site; now normally I wouldn't jump to those conclusions, yet it would seem that people recently banned from our forums are touting just that which would make me suspect. The sign to me that this issue was real was Sunday night when our bandwidth jumped up to 45GB for the day, an all time high. This ended up being nothing for what was to come, though, as the site started to see traffic to the tune of 25GB an hour on Monday. I ended up strengthening the htaccess file, and was able to curb that to 1GB an hour... however, 252GB had been used that day. According to the stats, the culprit was jpegs, which accounted for 90% of the total bandwidth consumption. Going from the ratio of hits, it's quite clear they were being hotlinked, somewhere, in mass.

Tuesday was more or less fine, with bandwidth staying at 1GB an hour. Wednesday flaired up again to 15GB an hour, and I had to further restrict access through the htaccess file. I got it down to 1GB an hour again. However, that night it rose to 3GB, while this morning it's now at 4GB an hour.

Sadly, the stats for the site also appear to be down. I wondered why this was, and attempted to view the log for the latest hour... to find out that the file was 1.12GB in size, which would probably explain that.

I tried to contact support about this, but their response was a combination of contacting our own web developer (doesn't help, as that's me) or doing a Google search...

At this stage, I simply have to ask if anyone could offer any advice to try and deal with this situation? I have already deleted the larger files off the site, while narrowing down the accepted domains to just the normal site and a subdomain, yet it continues. If anyone could help me with this ordeal, I would be very grateful. Thanks for your time.

[Nick DiMola]

Wow, that's unbelievable. I wish I could help you in some way but I really don't know much about curbing bandwidth usage. For some reason people on the Internet always have a strong urge to be total douche bags when the opportunity arises. I wish you luck though.

[Sir_Stabbalot]

Would there be any way to disable hotlinking totally? Some sites seem to be able to do that.

At the very worst, you could take the site down for a week and then bring it back up. Hopefully the ADD kids doing it will have forgotten.  

[Arbok]

Quote
Originally posted by: Sir_Stabbalot
Would there be any way to disable hotlinking totally? Some sites seem to be able to do that.

That's what the htaccess file is for. At first I disabled all URLs from hotlinking that didn't turned up either no listing or a URL that was our site or its subdomain. When it flared up to 15GB again, I had to disable everything even for those that didn't report a source (which sucks, as some people naturally view the web this way, but I was against a wall and had to disable access for them as well). Sadly, the problem continues, and now I'm at a loss...

[stevey]

Try changing the names of the jpegs so it will break the links to them and/or change the jpegs themself to some else  

[Arbok]

Quote
Originally posted by: stevey
Try changing the names of the jpegs so it will break the links to them and/or change the jpegs themself to some else

Did that this afternoon, and success... as bandwidth dropped to .5GB an hour. It's a temporary fix, though, but at least something that can be done.

[UncleBob]

Can you do something like the script that Super has set up for the Funhouse banner where it'll pull images from elsewhere - it just pulls from the same directory, but I'm thinking from a different site totally - like, perhaps .jpgs from the site of the person "hacking" you or from the people you rent server space from who should, ideally, be helping you in a case like this?

[Arbok]

Quote
Originally posted by: UncleBob
Can you do something like the script that Super has set up for the Funhouse banner where it'll pull images from elsewhere - it just pulls from the same directory, but I'm thinking from a different site totally - like, perhaps .jpgs from the site of the person "hacking" you or from the people you rent server space from who should, ideally, be helping you in a case like this?

I run something similar to that somewhere else on the site. Technically I could, although I would rather not enter a "eye for an eye" type of scenario where things would escalate forever. The htaccess file we have up does redirect the images when they are showing up as a obvious hotlinking source, and replaces them with this:



Luckily, as I mentioned above, bandwidth has been at a very reasonable .5GB an hour after the last changes, and I just hope it stays around there. *knocks on wood*

[bustin98]

Shouldn't the log files reveal the IPs of the offending machines? My server was getting hit by Chinese addresses so I denied access to the range of addresses. I am using IIS6 and my webstats program is SmarterStats, I am not sure if that info is provided in the same manner with Apache and whatever stats program you have.

[Arbok]

Quote
Originally posted by: bustin98
Shouldn't the log files reveal the IPs of the offending machines? My server was getting hit by Chinese addresses so I denied access to the range of addresses. I am using IIS6 and my webstats program is SmarterStats, I am not sure if that info is provided in the same manner with Apache and whatever stats program you have.

Normally, yes... however, the stats are down due to the volume of requests they are pushing toward the site (an hour worth of activity = 1.12GB log). When they were up, it was clear that it wasn't going to be that easy as the history was showing a variety of IPs each that was taking up 200-400MB of data. A whois search on them turned up no connection either (proxied, I'd assume). They are certainly pro at this.