Support » Plugin: Wordfence Security - Firewall & Malware Scan » DDOS attack accessing image

  • Resolved kwdavids

    (@kwdavids)


    I ran out of bandwidth on my WordPress site because of what I understand to be a DDOS attack. I don’t think WordFence is going to be able to help with this, but I have questions.

    The attack presents itself as an HTTP access to a 2 MB image that’s under my site’s uploads, and one that is linked to (not displayed) on all my site’s pages. I have seen in the last 2 weeks 316,243 accesses to this image, and all of them had the same referring page:

    http://wizardly-thompson-0b0917.bitballoon.com/

    There were 4,229 different IP addresses accessing the page. The largest number of access from one IP address was over 17,000, but some of them were in the 30’s.

    When I look at the WordFence Live Traffic, I don’t see any of this because it only lists pages, not files. I tried using the WordFence Advanced Blocking to block “*bitballoon*” but WordFence is not counting any blocks.

    For now, I’ve just renamed the file.

    So my main question is whether there is any way in WordFence to respond to DDOS attacks directed at files rather than pages.

    And if there isn’t, could someone knowledgeable tell me what I might put in the .htaccess file to block this referrer.

    Thanks for your attention.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Your first step, after deleting file that gets the traffic, would be to place that file URL in Wordfence/Options/Immediately-Block-URLS… be sure your blocking duration time is set to something significant, I use 48 hours.

    You could also block the file in .htaccess, which can result in less server load than waiting till Wordfence does the block, but on the other hand only returns a server error to the attacker rather than creating a block against future attacks from that same IP number, which is the advantage of Wordfence.

    Another step would be to look for commonalities in the IP numbers, if any come from blocks (ranges) of IP numbers, quickly put some IP blocks of those in your .htaccess file using IP ranges.

    Another commonality might be IP numbers coming from certain countries. In that case I can’t overstate how useful country blocking is. If you don’t particularly need traffic from hacker haven countries, for example, Ukraine, shut it down.

    You can also tune Wordfence blocking to trigger due to frequency of hits from one IP, but that might not be useful with your DDOS if the attacks are coming from entirely different IP numbers.

    For the .htaccess specifics, just google around, tens of thousands of websites are out there with .htaccess tips and techniques. For example, I found the following in about ten seconds: http://www.htaccess-guide.com/deny-visitors-by-referrer/

    Lastly or firstly, it’s possibly useful to get help from your website hosting company, though one does tend to get what one pays for when it comes to hosting.

    MTN

    • This reply was modified 1 year, 10 months ago by mountainguy2.

    Hi @kwdavids
    This sounds like a typical image hotlinking problem, there are many ways to prevent such a problem but they might not be 100% working though as there will be a workaround from the one who is hotlinking your image. Check some of these solutions here.

    Renaming the image file is a good start, also I highly recommend getting in contact with “bitballoon” hosting provider as they are the company hosting this website, they should be able to take some effective actions to this problem.

    Thanks.

    Thanks for the suggestions:

    My initial problem was that I was running out of bandwidth and didn’t know why. WordFence real time traffic showed nothing. I then tried an old access log analysis tool I had written and it showed nothing either. Only after I went into the code did I find that it was excluding .jpg files. Once I fixed that, I found out what was really happening. Once I knew what was going on:

    1) I did rename the file first thing.
    2) Unless I missed something, I don’t think WordFence ever sees accesses to .jpg files, so it can’t count the number of accesses to block them.
    3) There was no country pattern. I looked at the top 3 IP addresses, each with more than 15,000 accesses. The top one was from Oregon, #2 was from Brazil and #3 from India.
    4) I contacted my web hosting company, VPS.NET. They were unwilling to help me set up an .htaccess file or block my long list of IP addresses. All they were willing to do was charge me lots of money for more bandwidth. I have since canceled my account there.
    5) I totally stumbled upon an option in cPanel to block hotlinking altogether. I had found an article to block by referrer with .htaccess, but what I came up with didn’t work.
    6) I contacted Bitballoon, and they never replied back. But I can’t really blame them. All they are doing is hosting a web page with a lot of pictures on it. It’s those thousands of computers accessing the page that are the problem.

    In any case, I have moved to a new host, one that happens to give me unlimited bandwidth. They have a dashboard option to block hotlinking, which I have implemented. Things appear stable at the moment.

    • This reply was modified 1 year, 10 months ago by kwdavids.
Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘DDOS attack accessing image’ is closed to new replies.