Bandwidth soaring though traffic dropping - bots to blame?

Discussion in 'TechTalk' started by zarathustra, Jun 11, 2012.

  1. zarathustra

    zarathustra Perch

    Could be in for an expensive month. I nearly always stay below the bandwidth threshold for my current plan, so I was surprised to see myself soar more than 30% over, despite my visitor numbers have dropped a little on previous months.
    I eventually downloaded one of my logs (130mb, which my poor old Internet connection struggles with), trying to ascertain if somebody was stealing the bandwidth, but it seems the Yandex bot may be to blame. I've added it to my robots exclusion list, though I've read elsewhere that others have found it has bypassed theirs. The website affected is on a Windows plan, so I can't use htaccess to block an IP (forgive me if I'm wrong, I'm not that technically minded). If the problems continue, is there are other ways I can keep aggressive bots at bay?
  2. zarathustra

    zarathustra Perch

    Just a quick update to say Jodohost's customer service have been very helpful, and I've now also blocked the IP from within my control panel.
  3. Stephen

    Stephen US Operations Staff Member

    If you have any bandwidth overages, let me know. We will handle it, as long as not extreme over :D
  4. zarathustra

    zarathustra Perch

    Hi Stephen,
    Please can you be kind enough to help me with a very similar problem. I have a website that has very few visitors a day (perhaps 50 at most), but my bandwidth usage has jus t gone through the roof. I downloaded a log, and my images are being accessed every few seconds throughout the day. The IP's are all unique, coming from the Middle East, Russia, Mexico, Turkey and China - these are not genuine visitors. I don't know how to block such an attack where the IP keeps changing, but if it continues like this I will have to pull my website off completely as I won't be able to afford to pay for the additional bandwidth if it continues like this!
    Thank you for any assistance you can provide.
  5. zarathustra

    zarathustra Perch

    Yesterday I had 27 unique visitors to my site. I checked my log file which is now huge, and the images on my site are being hit almost every second of the entire day, relentlessly. The IP addresses are almost all unique, so I've been trying to compile a massive list to import into the Web Access Control section, but it's proving very difficult. I've got about 1000 unique IP's in there now, but I fear whoever who is behind this has many more IPs to use, including many I have missed, and I might possibly end up blocking some legimiate IPs too, though I have tried to be careful. It's turning into a bit of a nightmare, and I've spent my whole morning on it.
  6. Stephen

    Stephen US Operations Staff Member

    1. Bandwidth we can work with you on for large transfer fees etc, let us know before the bill hits and even easier.
    2. This is on 2003 server or a linux/2008?


    Are the hits posibly from someone hotlinking your images to their site, not legit visits to your site, but like forum posts that embed your image?
  7. zarathustra

    zarathustra Perch

    Hi Stephen, thanks for the reply. There's no sign that they're hotlinked. Unfortunately I'm on Windows, otherwise I would have used htaccess to prevent other sites from hotlinking.
    If I can't find a solution before I start paying for each additional gigabyte, I think I am going to have to pull the website completely, which would be very sad as it was written with a lot of passion and has been around for years. Really don't know what else I can do to protect myself against this.
  8. zarathustra

    zarathustra Perch

    Despite blocking all these hundreds of IP's my bandwidth usage has soared since this morning. I dread to think what it might be tomorrow morning. I did write to support over 12 hours ago, but haven't received any response yet. I fear I will have to pull my website completely when I wake up in the morning. In the mean time I've just renamed my image folder (which means no images display at all on the site) in the hope it will stop the attack. It's not a good solution. :(
  9. Stephen

    Stephen US Operations Staff Member

    No you won't have to do that, we'll help you here to either get it stopped or help block, or remove overage charges since you've made a very valient effort to monitor and watch it, and it is not bringing you usable traffic/monetized etc

    you can do blocking and rules on Windows 2008 as well, that is why I asked if on 2003 or 2008.
    It may be worth moving you over to 2008 for that reason if you aren't already on it.
  10. zarathustra

    zarathustra Perch

    Hi Stephen, thanks for the reassurances. I'm a little nervous about putting things back until there's a solution at hand. I've been with Jodohost for many, many years now, so I assume it's Windows 2003, but I'm not entirely sure where it shows the server info? On my reseller account it simply shows a "Windows I" plan. If it can be updated and 2008 allows for better means in which to stop the bad traffic that would be great - if it's easier to do on Linux I assume I need to create a new account through the reseller account, sort out the name servers, and remove them from the existing windows account, then wait a day or two?
    Unfortunately it's getting late here, so I won't be able to check my messages until the morning. Thank you again for your assistance. My sites have been attacked once or twice in the past, but I've had nothing like this before now.
  11. Stephen

    Stephen US Operations Staff Member

    really weird here, over 42000 unique IPs none of them with over 92MB of data alone, so large transfer, but not one with a 'huge' amount of transfer to make easy to stop this. Even on htaccess I don't know how you would go about it they seem to actually be browsing pages of the site. but 'not really' because one came back 105 times spread over a long period like it was refreshing the same page..but in longish intervals
    but on the other hand looking at the referrals, they are widespread and from legit sites, search engines, and forums about the same subject.
    with 42000, and from all over the world (many in europe, but also many in south america) I am not sure it would even be possible to block them, I was looking for maybe a too 100 bandwidth suckers to kill the main usage, but that just isn't there.
  12. Atul

    Atul Administrator Staff Member

    Please contact Customer Service regarding bandwidth charges. We will help you out as much as possible.
  13. zarathustra

    zarathustra Perch

    I will check my log file shortly (slow internet, so takes ages to download given its size), have just gotten up. I was hoping renaming the images folder temporarily would stop all the tiny files from being constantly downloaded. I'm assuming you were able to see some of the logs for my Paris themed site? The maximum number of visitors are 50 a day, but usually, it's around 30 uniques. There's a couple of small blogs that have used my images, but they are just small time sites and can't possibly account for what is happening. I spent yesterday morning, just trying to register around 800 unique IPs (which only covers a tiny portion of the log file) - I've no idea how to add 42,000, and even if I could, I imagine new IPs would keep appearing.
    If you're not able to propose a solution, I'm at a complete loss. Sadly I might have to remove my site, but many of my sites are my sole means of living, and if they get hit in the same way, it would ruin me. :(
  14. zarathustra

    zarathustra Perch

    Thanks Atul, I did contact customer services nearly 22 hours ago, and again 12 hours ago asking for their kind and immediate attention in light of what is happening, but I haven't had any response to my latest pleas for help. My ticket number is RS #BDF-48833-584. I came here because I could see somebody else had a thread on a similar nature, and that Stephen was being kind enough to respond. I'm desperate to sort this problem out a.s.a.p.
  15. Atul

    Atul Administrator Staff Member

    We are investigating. This seems to be a known exploit in one of application you have installed.
  16. zarathustra

    zarathustra Perch

    Thanks Atul. There was the suggestion it might be connected to WordPress, but all the images that are targeted in the log files, are only used on my main website, and have no connection at all with the Wordpress blog which is just a smaller part of the site as a whole. I did update WP yesterday morning, and following the link you kindly provided, I have renamed the xmlrpc.php file. Currently my images folder is renamed too which I hope will temporarily stop the influx of hits, but it's not a good solution!
    If it persists, do you think it would help to switch to Linux, use htaccess, hide my renamed images folder with robots.txt and edit all my pages so the pictures point to the new images folder? I'm at a loss as to what more I can do.
  17. zarathustra

    zarathustra Perch

    It seems to be the same 32 images that are hit constantly (these do not appear on Wordpress), so I am putting back the other images and am refraining from putting the 32 that are constantly hit for the moment. Log files are still huge, and are showing the same images being requested from these thousands of IPs, however the images are not there for them to take, so I hope that reduces the bandwidth usage.

Share This Page

JodoHost - 26,000 hosting end-users in 100 countries
Plesk Web Hosting
VPS Hosting
H-Sphere Web Hosting
Other Services