Hacker News new | past | comments | ask | show | jobs | submit login
Bot (91.241.19.84) from Russia has tried to hack my site every day
4 points by ben-gy 45 days ago | hide | past | favorite | 9 comments
I'm using Sqreen (in app WAF) and Cloudflare to protect my site.

I've recently noticed a bot using a Russian IP address 91.241.19.84 that has tried to hack my site every day since the 8th of November (1.73k requests so far).

Question: is there something more than just blocking the requests that can be done?

Is it legal/possible to hire an ethical hacking company that can go on the offensive against these malicious actors to rack up server expenses for the hackers running the bot or some other lightweight, non-lethal deterrent?

There's a current trend happening with people building API phone call bots designed to flood call scam centres. Is there an equivalent of this for web bots?




I'm afraid this is pretty common on the Internet today. I recently set up my own web server and I was a little shocked to look at some of the logs (in terms of the level of malice and persistence, like hundreds of different attacks attempted by a single attacker) even though I had often heard about this phenomenon before.

You could try to complain about the abuse to the SWIP owner of that IP address space in whois. Note that some ISPs and countries may not care much. Perhaps this bot is already deliberately hosted in one that doesn't care.

Also maybe consider using something like fail2ban, a leading tool for automating some attack-bot blocking:

https://www.fail2ban.org/wiki/index.php/Main_Page

Although it's a much-debated topic, I don't think that the escalation of "hack-back" is reasonable ethically or even tactically. One important problem is that you don't even know for sure that the apparent origin of the attacks is an entity that's deliberately involved at all. It could be a legitimate server (that someone relies on) that the attacker has previously compromised in order to abuse it to attack you. The main person who suffers if you succeed in a hack-back might be the legitimate operator of that server, who may also be an innocent victim (and might think of you as a malicious attacker for trying to disable the server!).


That’s a great point regarding a false positive / compromised server acting maliciously.

One problem is that even when using a security setup like the one I’ve implemented, it’s still a one-to-one relationship.

Do you know if there’s a shared data / collective approach so for example, you and I could connect our traffic data to a shared fail2ban implementation for example?


I've had to block Servermania's IP space due to various shenanigans. Due to the large number of IPs involved, I suspect they have a VPN service (that's being abused) as a customer. Being able to narrow it down to a single IP seems a luxury in comparison(!) and I would certainly just block it and move on for now.

"There's a current trend happening with people building API phone call bots designed to flood call scam centres. Is there an equivalent of this for web bots?"

That just sounds like a DDoS to me and not something I would advise, because it could get you into trouble.


The entire AS is full of hot garbage, B2, Servermania, Colocrossing, all the related groups.

https://www.spamhaus.org/sbl/listings/colocrossing.com

I get so much spam and bruteforce from their entire network.


Bad actors are a fact of life on the Internet and Russian ISPs aren't going to care about this sort of thing.

Cloudflare allows blocking traffic by country, just block all traffic from Russia and get on with your life.


I need to look into this further - because I have set the firewall rules in Cloudflare to block Russia but then Sqreen is still picking up these IPs - I suspect there is some sort of spoofing going on to get through the Cloudflare firewall so I’m not sure how genuinely effective this strategy is...


Cloudflare allows blocking by ASN; you could try adding a block for the source ASN.


If you know the ip address and it's the same one just blacklist it...


I already done this - but just seems a bit archaic given where technology is as it in terms of what else could be done...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: