Every day, cyber criminals use malicious bots extensively to infect websites, send spam, and take down websites with DDoS – all for money.

As a server administration company, we often act as the 911 Emergency Rescue for websites under bot attacks.

Bot attacks take down websites which then shows “Out of memory” errors, “Connection timeout” errors, or plain white screens. That is when our Emergency Server Support team steps in for the rescue.

Today we’ll take a look at how we react to such issues, and how we build a defensive layer for our customers to prevent bot attacks.

[ Is your server under attack?. Click here to get experts help right now – we’re online 24/7. ]

Bot attack rescue

It is usually total chaos when an bot attack happens. The website and the server will be inaccessible, there’ll be errors left and right, and no one would know what’s happening, other than “some kind of bot attack is going on”.

So, when a customer contacts us, we follow these steps:

1. Isolate the server – A server under attack will usually be un-responsive. So, we block all external connections and stop unnecessary services to bring down server load. This will halt the attacks, and free up resources to investigate.
2. Gather information – We then analyze the log files to find out the attacker IPs, and identify the kind of attack they were attempting (eg. injecting malware, outbound spamming, bot upload, etc.).
3. Identify & block the attackers – We build a list of all offending IPs & IP ranges, and then feed it to the firewall to block all further connections from them.
4. Patch system vulnerabilities – The attackers would have targeted one specific vulnerability in the system or web application. We patch those vulnerabilities to make sure such future attacks do not succeed.
5. Setup firewall to block similar attacks – We configure the firewall to block all IPs that follow common attack patterns (eg. sending 10 login attempts per second – no human would do that).
6. Bring the server back online – Once all the defensive shields are in place, we bring the all services back online.
7. Observe & update the firewall – The effectiveness of the firewall is observed for a few days, and if needed rules are tweaked to make sure no attacks can get past the defenses.

At this point, the server will be able to resist most common attacks, but to make it resilient to an unknown kind of attack the systems should able able to handle a sudden surge in connections.

That’s what we do with Bot attack prevention.

[ There’s more to bot attack rescue than is apparent. Click here to get experts to fix your server – the right way the first time. ]

Bot attack prevention

Cyber criminals always find new vulnerabilities and new methods of attack.

But every mass exploit has a few things in common:

1. High number of connections – Commonly known as “Brute forcing”, bots use a large number of attack combinations to get through to your website or database. This often requires a high number of connections.
2. Use compromised IPs – Almost all of these attacks are launched using infected PCs or Servers. More often than not, the IPs of these PCs would be red flagged by blacklists as an attack source.
3. Non human-like behavior – Who would try to login 10 times per second? Definitely not a human. There are many such signs that is common to all bot attacks.

So, our defense against bot attacks is based on these common traits. Let’s look at it one by one.

Reverse proxy for connection limits

A reverse proxy is like a sentry who allows only the valid requests to go through. You can allow or deny connections based on specific rules. For eg. Requests to Admin URL should be limited these IPs, or image requests should go to image server, etc.

One commonly used reverse proxy is Nginx. It can handle 10,000 or more concurrent connections, and can divert traffic based on rules.

Here are a few common settings we enable in Nginx to prevent bot attacks:

1. Connection limit per IP – A real human user won’t browse 50 pages simultaneously on your website. So, we put a limit of 30 connections per IP (varies from site to site).
2. Restricting access to privileged pages – Some pages like administrator login pages are often targeted for dictionary attacks. These are blocked by restricting access to these URLs to just a few office IPs.
3. Rate limiting access to URLs – Would a real user load the same page 100 times in one minute? Probably not, but a bot would. That’s why we put a limit on how many times a page can be accessed by the same IP.
4. Closing slow connections – Denial of Service attacks depends on exhausting the resources of a target server. For that, attackers often keep a connection open without doing anything with it. We foil these attempts by closing each connection after a few seconds of inactivity.
5. Using cache to prevent web server over loading – Popular pages are cached in the proxy so that the web server doesn’t have to spend resources processing queries every second. Instead, cached pages are delivered for quicker results and reduced load on the web server.

These steps taken together will make the server resilient against a sudden surge of connections.

[ Don’t leave the security of your server to fate. Click here to get your server secured by experts – we’re online 24/7. ]

Firewall to block connections from infected IPs

Block list maintainers like  Spamhaus and  DShield maintain block lists of IPs that are known to be hosting malware.

Connections from these IPs are very likely to be malicious in nature.

As a preventive measure, we configure firewalls to monitor the most reliable of these lists and preemptively block connections from listed IPs.

Intelligent blocking based on connection patterns

Bots are usually small programs that do not follow internet standards for Web or Mail communications.

For eg. Legitimate mail clients like Outlook usually follow a set pattern of commands. First it’ll say “Hello”, then it’ll say it’s machine name, then the sender’s mail ID and so on. Bots don’t have the patience for such niceties. They’ll just dump everything into one command, and ram it down on the SMTP port.

So, we configure the firewalls to detect such non-standard behavior and block those connections.

[ Don’t play dice with your server and customers. Click here to get experts to protect your server from bot attacks. ]

Resource limits on services to prevent server crash

Now, we need to be prepared for the worst case scenario as well. What if an attacker breaks through all server defenses?

Usually such attacks will overload the Memory or Disk I/O or CPU and cause the server to freeze. No one can mount any reasonable rescue in a non-responsive server.

That is why we set up resource limits for each service, so that there’s always a bit of free resources to carry out administration commands.

That way, even if an attack brings down one particular service (say MySQL), it won’t bring down the whole server. Administrators can quickly login to the server, block the offending IPs and get the service back online in a matter of minutes.

Conclusion

Bot attacks are a common way for cyber criminals to infect websites or send spam. These attacks often render websites unreachable, causing hundreds of dollars in lost business. Today we’ve seen a few ways of how Bobcares rescues websites & servers under attack, and how we prevent bot attacks.