Over the limit - Under Attack

[mari21]

Hi.

I hope that someone can help me with this as I do not know how to proceed anymore on this one.

I bought a cPanel Linux Copper package last September with a 2000mb bandwidth limit. I uploaded an index file together with some graphics; the total size of the page is only a few kb. My maximum bandwidth usage until January 2012 was only 138.87mb, most of the months much less than that. My website is not 'active' yet, I use the service for a few emails a month mostly.

Everything was ok until 3rd of January when I received an email that the website has reached 80% of its bandwidth limit (1697.63/2000.00 Megs). I checked the logs a saw that the site is under some kind of an automated robot attack. Shortly after that I received another email saying that the site is suspended and it cannot be accessed anymore.

I contacted support through online chat and after 2 hours of explaining was told to send a ticket to the support as the gentleman was not able to help me. I did this (#MPW-783-21584). The support team replied that the site was indeed under attack and that they need to close it down (or rather they informed me that they closed it down). I was not really happy about this but (I guess) there was nothing I could do about this. Although the site was down and not accessible the accumulated traffic reached almost 9gb! I do not know how this is possible. I noticed that my limit was raised to 10gb (I did not requested this). After few emails back and forward, my account was un-suspended on 6th January 2012 and I was informed that the attack is over. The ticked was closed on 8th January 2012

On 9th January 2012 (a day later) I received an automated email again that my site (yet again) has reached its bandwidth limit (10051.42/10000.00 Megs). The site was suspended (again) and not accessible. I contacted the support again (#OMY-995-87900). Almost 20 hours later I received an answer saying that I am using all of my allocated bandwidth and that I will need to upgrade to a higher package. I was advised that the site was under attack and that some IP were blocked. The accumulated traffic through the attack was around 12.7gb. My bandwidth limit was raised by another 700mb and I was made aware of the fact that I will need to transfer to a higher package if the bandwidth is exceeded again. I wrote back that this is not acceptable and that this is not addressing the issue. A response came back, similar in wording to the first one, that I will need to transfer to a higher pack to accommodate my usage of bandwidth. I should also check the logs and so on, but no help was considered or offered.

I do not know what to do now. I kind of feel left alone with this as clearly the site is not causing any genuine traffic (besides the regular 100 something mb per month) and the support is quite unhelpful. I have other website with eukhost (and elsewhere) and never in my life came I across such a problem.

I would appreciate if someone could help me out as it seems that I cannot expect any help form the support.

Thank you.

Marian

P.S: sorry for the long read.

[Kieran]

Hi.

I do not know what to do now. I kind of feel left alone with this as clearly the site is not causing any genuine traffic (besides the regular 100 something mb per month) and the support is quite unhelpful. I have other website with eukhost (and elsewhere) and never in my life came I across such a problem.

I would appreciate if someone could help me out as it seems that I cannot expect any help form the support.

Dear Marian.

We can understand your frustration and apologize for the inconvenince caused to you, but do not agree with all your statements. From our level I support techinicans to level 3 administrator have looked into your issue. All the logs and statistic details are provided in the same tickets so you could aware of the exact issue. Also we have keep you updated about the status and suggested an alternative way to get your website running.

As per the resources limit, your domain is allowed 200 MB Bandwidth but more than 10 GB was crossed due to this HTTP attack. Therefore we had added the same limit to your domain and were checking the source of attack. Even after banning few ips, the attack was going on so had to disable some folders and suspend your account to avoid performance issue as this site is hosted on the shared server.

I'm still going through the tickets and checking the logs thoroughly.
I will update you in the ticket OMY-995-87900, once further investigation is done.


Regards,
Kieran A.

[mari21]

Dear Marian.

We can understand your frustration and apologize for the inconvenince caused to you, but do not agree with all your statements. From our level I support techinicans to level 3 administrator have looked into your issue. All the logs and statistic details are provided in the same tickets so you could aware of the exact issue. Also we have keep you updated about the status and suggested an alternative way to get your website running.

As per the resources limit, your domain is allowed 200 MB Bandwidth but more than 10 GB was crossed due to this HTTP attack. Therefore we had added the same limit to your domain and were checking the source of attack. Even after banning few ips, the attack was going on so had to disable some folders and suspend your account to avoid performance issue as this site is hosted on the shared server.

I'm still going through the tickets and checking the logs thoroughly.
I will update you in the ticket OMY-995-87900, once further investigation is done.


Regards,
Kieran A.

Thank you for your reply but I have to strongly disagree.

What alternative way to get the website running are you referring to? I did not get any help or suggestion regarding the issue of bringing back my websites online (unless I missed something). Plus, I did not use the 10+gb on traffic, as you are correctly saying it is an attack. Also I am clearly punished (go and upgrade to a higher package) for the bandwidth usage although the support is admitting that this is not genuine traffic caused through my website (aka me) rather than it is an attack. I was told that it is all fine just to find out that the website is suspended a day later. Again, the website was suspended for days hence the site could not have caused all the traffic (bandwidth). Btw, I only received updates on the ticket AFTER I contacted the support again and asked about the issue. This is far away from my understanding of being informed.

Anyway, it would be nice if this could be resolved in my favour with a permanent solution rather than just raising the bandwidth limit. This will bring me back to the same problem just a few hours/days later and I can submit another ticket and start explaining again. As this is a security issue (attack) I just do not see how I can change something about it and the replies (emails) from the support are utterly useless as they suggest to monitor my site (log files) and upgrade to a higher bandwidth level.

Thank you again for your time.

[Kieran]

Dear Marian.

The ticket OMY-995-87900 has been replied. Please check it once and let me know if you still have any doubt in this regards.

[mari21]

Dear Kieran

Thank you for your help and reply. Although I am glad that the website (and more importantly the email service) is accessible again (thanks to the increased bandwidth limit) I still am concerned that this issue is not resolved. Blocking of IP’s might help in short term but if there is another attack on my site tomorrow from a different IP I will be (yet again) facing the same issue and can start explaining to one of you colleagues what is happening again. If someone from the support ever again suggest to me that I need to upgrade to a higher bandwidth package I just might loose it.

As the statistics (I saw them in my Cpanel as well) are clearly showing, the attacks are form different IP addresses and just like I emphasised many times not a genuine traffic caused through my sites or site visitors. I have few questions regarding this issue:

- Is there a possibility to stop suspicious behaviour more efficiently? When there are HTTP requests from an IP hundreds of times during one minute cannot those be blocked automatically and be recognized as a threat?
- Cannot any suspicious behaviour (e.g. automated robots etc.) be blocked?
- As I am only conducting business in the UK is it possible to block any (even genuine) traffic from outside the UK? Is it possible to restrict access to the site only for UK IP’s to limit any foreign threat? Could this be applied to my website (at least for a couple of weeks)?

I am thankful for your help but I do not believe that by simply increasing the bandwidth limit and blocking certain IP’s this issue will be resolved. If you have any suggestions how to address this issue I would appreciate any further help.

Regards,
Marian

[Kieran]

Dear Marian.

You're most welcome.

As mentioned in the ticket, we have been monitoring your account on top priority.
The BadBots and some proxy ranges are already blocked in the .htaccess file so it should not happen again.

- Is there a possibility to stop suspicious behavior more efficiently? When there are HTTP requests from an IP hundreds of times during one minute cannot those be blocked automatically and be recognized as a threat?

Yes, There is an option in the firewall to block ips automatically if found with multiple simultaneous connections for FTP, HTTP and POP/IMAP services.
There were various ips with limited connections hence firewall could not manage the attack automatically.

- Cannot any suspicious behaviour (e.g. automated robots etc.) be blocked?

There is no automated way to do this. We have to allow/block robots using robots.txt and .htaccess files.

- As I am only conducting business in the UK is it possible to block any (even genuine) traffic from outside the UK? Is it possible to restrict access to the site only for UK IP’s to limit any foreign threat? Could this be applied to my website (at least for a couple of weeks)?

Yes, Its possible to restrict access for specific countries by adding ip ranges in .htaccess files.
Please refer the following site to know countrywide IP ranges.

Country IP Blocks? .htaccess deny format

I am thankful for your help but I do not believe that by simply increasing the bandwidth limit and blocking certain IP’s this issue will be resolved. If you have any suggestions how to address this issue I would appreciate any further help.

As we have blocked BadBots and some ips, HTTP traffic should be under control now. If you belive that your genuine visitors are not from outside the UK then access restriction using .htaccess will be best resolution. Please let us know if you still have any query in this regards.

[mari21]

Thank you for your help Kieran.

I am monitoring the site as well and hope that the restrictions you put in place will prevent any further attacks.

At the moment I am still waiting with the .htaccess file modification in regards of blocking the traffic outside the UK. If the measures in place will not help I will try this modification as the last resort.

Once again, thank you for your quick support and help.

Kind Regards,
Marian

[Ben Stones]

Thank you for your help Kieran.

I am monitoring the site as well and hope that the restrictions you put in place will prevent any further attacks.

At the moment I am still waiting with the .htaccess file modification in regards of blocking the traffic outside the UK. If the measures in place will not help I will try this modification as the last resort.

Once again, thank you for your quick support and help.

Kind Regards,
Marian

I am pleased to hear that everything should be sorted for you now. I am sorry that you had faced this issue but it is inevitable these sorts of activities will occur with folks wanting to gain unauthorised access to servers and accounts and/or cause server outages or other problems by attacking servers or particular websites with a large volume of non-genuine traffic. You are most welcome to contact us if you require any further assistance from us.

Best regards,
Ben.

[mari21]

Thank you Ben and once again thank you Kieran.

Those things (like the attack) happen and are beyond our control. I am glad that after all someone, Kieran, could effectively help me to solve the problem.

I hope (fingers crossed) that this issue is now under control.

Kind Regards,
Marian

[Kieran]

Dear Marian.

You're most

Yes, I can see the bandwidth usage is under control now.
So let's assume that the issue is fixed now !


- Kieran