Get IRON Safe Today!
100 million attacks
In April 2015, after months of preliminary testing, Webiron initiated a pilot to confirm that our web server security solution was effective and industry-changing. The results were short of amazing. We were able to detect, block and prevent automated bot and malware attacks as they happened. On a typical CPanel managed private shared hosting server, with only 19 average sites, it only took 6 months to detect and block 100 million automated attacks!
The server was running CentOS 6 on a bare-metal single quad core Intel CPU based machine. Prior to Webiron be installed, the client had server stability issues due to persistent attacks and had to disable several domains. One of which was the client’s own business site. After the install of Webiron all sites were put back online safely.
This server has a broad array of sites commonly found in hosting environments and none of these sites generate more than a hundred true visitors daily. Everything from a local limo service, an unmaintained URL shortener site, a few WordPress sites, a couple of online shops, and some membership sites. Some of the sites were behind a popular CDN based protection services.
6 month results – A success!
- Results were seen right away as server health went from perpetual crashing to nearly idle within about 10 minutes of initial install.
- Load averages dropped within ranges consistent to where this server’s load should be and RAM usages (on average) dropped by 68%.
- Our methods post inline and post processing was successful in stopping all but 2 direct threats against our test server and sites.
- Consistent with our goal, the results had no non-bug or non-configuration related false positives.
- Finally, we experienced a 73% reduction in overall attacks against the server after the first 30 days.
- All of our new clients since our pilot launch have enjoyed similar results and were able to return problem sites previously taken down due to attack without issue.
Most attacks were network based (roughly 93%) and attempt to use UDP based services like DNS/NTP ETC to launch larger attacks against direct targets. Webiron was able to make this server immune to harming others, by detecting this type of traffic and ignoring all packets from known problem IP’s. In reviewing our data, we were able to determine that more than 99.99% of all the recorded attacks were completely automated, confirming that bots are opportunistic and only care about sites that fit within the bot’s vulnerability list.
We noticed attacks occurred within three basic categories and varied based upon website content.
- The majority of membership sites were attacked by brute force attacks against member accounts, shared account information, or membership content duplication.
- WordPress or another CMS were subject to attacks attempting to guess site logins, inject malware, data mine intel/data from APIs, vulnerability scans, or spamming comments.
- Shopping cart sites were attacked from data mining (possibly a competitor gaining pricing intelligence) or vulnerability scans hoping to get access to customer data.
Regardless of the sites that were being run, Webiron was able to detect and block all of the attacks within seconds.
Daily average statistics among all WordPress sites
- Malware install attempts – ~8.5
- Password brute force attempts – ~5,750
- Scans looking for existing malware – ~830
- Comment spam attempts – ~260
- Provider abuse reports sent – ~2,300
- Attacks directly against support APIs – ~2,450
- Unique bot signatures (aka botnets) blocked for attacks – ~17
- Unique IPs blocked for attacks – ~6,800
Notably, on some days a site may get little to no attacks one day and then get tens of thousands the next. The only identifiable marker that made a site more popular for attacks was simply how long the site had been running WordPress. This may suggest lists are traded or pooled among botnet operators to increase their target lists.
Abuse reports and what we learned about hosting companies
Automated robot networks typically can (and sometimes still do) take months or even years to fully stomp out. They share similar characteristics of a computer virus infecting one server, website, or computer one at a time and quickly spread like a wild fire. The faster they can be controlled the quicker they can be stopped.
In June of 2015 we began generating automated abuse notices to the offenders Internet Service Provider’s (ISP) to alert them of abuse issues. The reports only contain items that the origin provider and ISP can take action to resolve. As a result only about 40% of incidents make the abuse reporting queue. In addition, given that bots are often part of an entire network, we were able to leverage our internal reporting engine to expose the many nodes of botnets. As a result, this initiated mass cleanup of botnets for thousands of web servers. When our reports met responsible and capable hosts we saw entire botnets irradiated within minutes of first detection.
We typically see anywhere from a 30-90% reduction of bot network node (each server infected) counts within a week of first detection this changes to around 40-100% after a 30 days depending on the bot and the responsiveness of the ISP/hosting provider.
I’ve worked to provide web presences since 1994 and handling this support has been truly an eye opener into what has happened with the race for cheap hosting. The sole intent for reporting abuse is to stop the perpetual outgoing abuse from networks and that hosting companies work with their customers to help resolve the ongoing We understand that the vast majority of attacks are not the result of some malicious activity a site or VPS customer is doing but rather malware the customer is completely unaware of. Unfortunately the vast majority of resolutions are simply notices the customer has simply been terminated.
Note: Look for further explanation why hosting companies further victimize customers by terminating their online businesses in an upcoming article “The truth about security, websites, and hosting”.
Some interesting discoveries:
- We found that some networks give free passes to proxy services (Tor Exits and VPN Services) and completely ignore that they are being used to facilitate attacks at a growing and alarming rate.
- We found that many of the large networks employ tactics like white label branding with the sole intent to shield their advertising businesses from the abuses from their network. Some examples are Host Gator with websiteswelcome.com.
- We found that many have just completely given up and completely ignore all abuse reports sent to them, such as OVH Canada and Online SAS (online.net).
- We found that many Eastern Europe providers completely ignore the mandates of providing abuse contact e-mails. This seems to be a problem with RIPE the European IP registry.
- We found that Central and South America are extremely difficult to report to due to extremely poor service from LACNIC the IP registry. Whois service is locked to only a handful of lookups daily per ISP and REST interface has been disabled for years. This leads to large amounts of outdated or missing data. It is worth noting that Brazil has countered this problem with an abuse clearing house which redirects reports to the responsible party. We are very much appreciative of their efforts.
Note: For proxy and Tor information discovered during the 6 month audit see our full report – The Unintended Consequences of the Sacred Proxy
Look at the results yourself
Over the course of the last 6 months we’ve added data feeds to show what is going on with our trial server.
You can look up the status of an IP and see which bots it may be associated with, it’s Tor exit status, blacklist status, and report status.
IP Status Lookup – https://www.webiron.com/iplookup/
Our abuse report feed contains a log (newest to oldest) of abuse report sending, department opens, and if they responded with a resolved notice. It is also available as a RSS feed and JSON formats for easy parsing.
Abuse Report Feed – https://www.webiron.com/abuse_feed/
Our latest additions are unresolved abuse leaderboards for both web and non-web attacks. You can filter by hosting company country.
Top 100 Unresolved Abuse Leaderboards
- Web – https://www.webiron.com/abuse_web_leaderboard/
- Net – https://www.webiron.com/abuse_net_leaderboard/
Our bot node feed displays information bot networks and their new node discoveries. From here you can see easily see if a bot has associated malware, it’s tracked node count, when a node was discovered and the nodes hosting network. It is also available as a RSS feed and JSON formats for easy parsing.
Bot Network Feed – https://www.webiron.com/bot_feed/
You can lookup information on a particular bot on our bot lookup page. Here you can find what the bot has been observed doing, request header information, command arguments, node list with last spotted timestamp, node counts, and associated malware.
Bot Lookup – https://www.webiron.com/bot_lookup/
We gather malware information either via blocked upload or post processing extraction. In our file capture feed you can find files blocked as part of attacks. Most files are malware while some are blocked as vulnerability attempt test files.
File Capture Feed – https://www.webiron.com/file_feed/
You can view details of captured files like how it was captured, when it was first spotted, when it was last blocked, bots the file is associated with, and in some cases the content of the malware.
File Lookup – https://www.webiron.com/file_lookup/