It all started since Monday, for the first 2 days we received 10 times the usual traffic, today it's x20 (and the day is still not over). And no, it's definitely not the sudden discovery spike, as basically all of those "additional" visitors only view the main page of the forum, with like half of those requests prematurely closing the connection (to make new requests faster).
Obviously banning 700k IPs, from where this attack comes from, is not really an option, so for today I'll leave the extra protection measure, and if it will not be over today, I'll probably add the extra protection measures for Brazil, Iraq, USA, Bangladesh (those will cover the major part of attacking IPs, while all other countries will be back to normal).
After like 30 minutes, I decided to make custom rules for those 4 countries (less strict than initial access challenge), and I'll monitor how often they'll fire and if that will be enough to block the attack, for everyone else it's back to normal (unless those rules will not be enough). While this might not be as effective, this way I'll be able to configure long-term solution, in case this attacker is as crazy as the previous and will last for years.
Seems like that wasn't enough, I've enabled slightly stricter rules for USA, Iraq, Brazil.
Looks like that is working fine. Bots not getting through, there's still a bit of extra traffic (humans or intelligent bots), but since it takes them time to make connection - they can't spam it, thus not reaching their goal.
For now those will be the rules, I might adjust them after a few hours, after checking the newly collected connectivity data.
If you have any problems connecting to the forum - let me know in this thread or via email.
Chile received rules like Bangladesh.
Tried loosening rule for USA (to the same level as Bangladesh and Chile), since it's the top1 country from where our actual visitors come from, but unfortunately it didn't work out well, so it's back to stricter for now.
While it seems like our visitors don't get the errors, some do get high latency, so in order to reduce impact even further I've added India and Argentina (next on the attack list) to Chile/Bangladesh rules.
P.S. Also FYI - online counter doesn't represent the attack, since most of the connections never actually load - they're not counted, otherwise we wouldn't just break the visitors record - we would skyrocket it
That said - some of those online visitors are a part of the attack, probably monitoring if we're down or something like that.
Added Turkey to the rules.
From the collected data it does seem like this is the same good old attacker, just with renewed forces.
Basically attacks are synchronized and come in 2 waves: 1st wave - countries all over the world, 2nd wave - USA+China+Vietnam+Singapore. Some bots are old simple bots, some are more intelligent and require stricter rules to block them effectively. Basically I need to balance between inconveniencing you and allowing the bots to get through.
On the 5th day, attacker modified the approach, now instead of simply bombarding the main page of our forum, ~1/3 of requests are crawling through the forum (likely AI training or shadow-copying, it also doesn't look like a prolonged strategy and we'll be back to full-on main page bombardment).
Amount of request from USA has dropped significantly, but not completely, so I've loosened the rule for USA.
Main part of attack has ended (possibly for a weekend, that would go well with previous "sleep" time, basically executed by a paid manual worker), attack from USA has continued, but in a form of old style and is synchronized (USA+China+Vietnam+Singapore).
I've changed rules to simplest for all countries mentioned in this thread.
Well, it seems like the attacker just slept a bit longer on Saturday
and is back at it.Due to the distributed nature of the attacks, I've decided to go at it in another way, I've come up with a rules set based on the attack patterns, instead of origin (IPs), and so far it works like a charm, I'll keep monitoring if country-based rules will continue to get a lot of hits, and if they will not then I'll remove even simplest rules for those countries. On the other hand - if you happen to use the same browsers and patterns used by the attacker...well, as I've mentioned from the start - there's no good way to mitigate this without someone noticing it.
I've removed the country-based rules, introduced during this attack.
It seems like the attack has ended (lasted 10 days in total), as the new rules made it completely useless - attacker decided to stop wasting time/money/resources, and went back to the old lazy attack pattern.
