High volume botnet attack

Since 21.5.2010, my CAPTCHA module denies some 4000 comment posting attempts per day, roughly one attempt every 20 seconds, because the answer to the challenge is empty. These attempts come from some 600 IP addresses, which I believe to be part of a botnet.

This site is just my personal drupal-playground, nothing of general interest: Before, I had something like 5 comment attempts per month…

This is not something that makes me lose sleep, legitimate comments are so rare on my site that I have just disabled comments altogether. Without comments active, these bots no longer clutter up my watchdog table, just the server log… Well, that’s what I thought, now they generate lots of “page not found” errrors ;-)

Anyway: I now configured my server to just give back HTTP ERROR 204 for these URIs, so that’s about it.

And just for fun some info gathered from the logs:
I looked at the server-log a litte more closely and I’m pretty sure the system info and user-agents are fake. There are all kinds of platforms attacking, Nokia and WinCE cellphones as well as Playstation and Wii, Windows, Linux and OS X, browsers include old Netscapes, Safari, Camino, Opera, Firefox, Epiphany, Minimo and lots of others. The statistical distribution is too even for those OS and Browsers not to be fake. And, just for fun, I also checked the geographical distribution of the IPs. Guess what: They’re from all over the world, ranging from Sweden to Taiwan, Russia, Brazil, Germany, and lots of others. Nevertheless, they are not evenly distributed, Comcast and Verizon stand out ;-)


Since this post, my site had evolved from drupal to wordpress. By the end of 2014, I considered that wordpress wasn't a good fit for my needs; it required more work + attention = time than I wanted to put in. So, being the nerd I am, I transitioned to pelican a static site generator.

Geschrieben von Jan Niggemann in Computer und Technik am 31.05.2010 , geändert am 08.01.2015