Am I under (DOS) attack?

Hello guys,

Today I tried to visit my site and found it offline. I quickly checked my error pages and saw that my database (1 GB allocated) was full. First thing I did was expand the allocated DB size in Smarterasp to 2GB.

I came back to check on the database size literally 5 minutes later and found it grew 40mb in size!

I checked the tables and saw tremendous amounts of guest users. Up to 10 guest users created every second for the past few days.

In the error logs I see the follwing:
Error sending e-mail. Failure sending mail.

This also up to 10 times every second.

Am I right to assume I'm under attack?
What to do?

Kind regards,
Jef

Same problem here, I just posted about it. Also smarterasp.


Kenny

Hi,

Check Maintenance and Schedule Task for Deleting Guests.

Also look into DB, on what tables are utilizing most space. That should give us some hint on what is exactly happening.

Share what you find.

Regards,
Krunal

nopAccelerate

I looked into my database.

The following tables are using the most space:

Customer            116541 rows
Customer_Customer   116551 rows
GenericAttribute    118918 rows
Log                 240255 rows

Deleting my guest users for the current day and clearing the log, decreased the database size to 500 Mb which is normal.

Kind regards,
Jef

Hi Jef,

Thank you for sharing these details.

Keep monitoring to understand the issue.

And I guess, you already enabled the scheduled task to delete guest customers. You should also check traffic from google analytics to see if these are real users or crawlers or something else!

Regards,

Krunal

Hello,

I can't find any anomalies in Google Analytics.

I also receive 503 frequently when trying to do something like opening an article.

BrickHunters wrote:


Try to find out if these are search engine crawlers? Check if there are only handful of IPs who are frequently trying to fetch your pages?

Check if you get any related error into the logs? You can also look for errors in windows logs to see what caused these errors.

Hello,

I checked the IIS Raw logs on SmarterASP. Good call.

I see a bunch of this:

2017-10-02 23:57:30 POST /productemailafriend/2816 - 114.103.92.19 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:54.0)+Gecko/20100101+Firefox/54.0 https://www.brickhunters.be/be/productemailafriend/2816 200 29572 1918
2017-10-02 23:57:30 POST /productemailafriend/2816 - 49.81.50.225 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:54.0)+Gecko/20100101+Firefox/54.0 https://www.brickhunters.be/be/productemailafriend/2816 200 29572 2720
2017-10-02 23:57:30 POST /productemailafriend/2816 - 103.240.182.49 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:54.0)+Gecko/20100101+Firefox/54.0 https://www.brickhunters.be/be/productemailafriend/2816 200 29572 1869
2017-10-02 23:57:30 POST /productemailafriend/2816 - 114.235.153.158 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:54.0)+Gecko/20100101+Firefox/54.0 https://www.brickhunters.be/be/productemailafriend/2816 200 29572 2469
2017-10-02 23:57:30 POST /productemailafriend/2816 - 183.160.73.42 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:54.0)+Gecko/20100101+Firefox/54.0 https://www.brickhunters.be/be/productemailafriend/2816 200 29572 1868
2017-10-02 23:57:30 POST /productemailafriend/2816 - 114.235.153.13 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:54.0)+Gecko/20100101+Firefox/54.0 https://www.brickhunters.be/be/productemailafriend/2816 200 29572 1921
2017-10-02 23:57:30 POST /productemailafriend/2816 - 114.234.144.118 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:54.0)+Gecko/20100101+Firefox/54.0 https://www.brickhunters.be/be/productemailafriend/2816 200 29572 1956

This is a ridiculous amount.

Seems like an automated requests from multiple IPs. Do you allow email a friend for guest users?

I guess so.

Do you think disabling it would help any further? If so, how can I do that?