dealing with crapflooding
"Crapflooding" is a type of denial of service (DOS) attack on your blog in which a script is used to flood the blog with hundreds of comments a minute (trackback crapflooding and search request crapflooding are also possibilities).
As with regular DOS attacks, this may bring down your MT installation, your site, or even your webserver by overloading it. Crapflooding also leaves you with hundreds of comments to delete.
The unsophisticated crapflooder does his work from a single IP address. For this, MT 2.661 and MT-Blacklist (get 1.63 beta or later for compatability with MT 2.661) are sufficient. MT 2.661 incorporates IP throttling. If more than a certain number of comments (or trackbacks or search requests) are submitted from the same IP address within a certain amount of time, the "throttle" kicks in and prevents additional comments (etc) from being submitted. MT 2.661 also automatically bans any IP address that triggers the throttle a certain number of times. And MT-Blacklist allows mass deletion of comments (or trackbacks) from the same IP address as a blacklisted comment or trackback.
Thus, MT 2.661 and MT-Blacklist can stop an unsophisticated crapflooder before too many comments are posted and make the clean-up easy.
Unfortunately, many crapflooders are more sophisticated and engage in Distributed DOS attacks. In a DDOS attack, open proxies (usually in developing countries with poorly regulated ISPs) are used to create the appearance that each server hit is coming from a different IP address.
MT 2.661 and MT-Blacklist are unable to stop a DDOS crapflooder because throttling never kicks in as long as different IP addresses are used, and MT-Blacklist can't bulk delete either (MT-Blacklist can also filter by text string, but only if the comment contains a text string that you can blacklist without killing off legitimate comments, and some DDOS crapflooders also submit random characters for the comment name, email, URL and text).
Fortunately, the MT community includes some top-notch programmers who have developed solutions, at least to the first problem. Shelley Powers explains the steps to a safer blog with links to files that permit true comment and trackback throttling: a certain number of comments or trackbacks in a certain amount of time activates the throttle, regardless of IP address.
I didn't pay too much attention to the latest security developments until I got hit by a crapflooder (two crapflooders, actually). The first crapflooder was sophisticated and hit me with a DDOS attack. The second one was unsophisticated and used a single IP address.
In order to stop the first attack in its tracks I had to delete the MT comments script from my server and that also prevented the second attack from accomplishing anything. I then had time to upgrade to MT 2.661 and get the latest version of MT-Blacklist. Then I did some hunting around until I came across Shelley's blog entry.
One other thing can be learned from this experience. These losers are using an automated script. The first crapflooder didn't notice for awhile when he started getting 404s after I removed the comment script. The second crapflooder tried for four hours but apparently didn't realize or understand that he was getting 404s. If the crapflooder is using someone else's script, he probably just has to enter the URL of your site and an entry ID and the script does the rest. For this reason, tricks such as changing the name of the comment script, forcing commentors to go through preview mode before posting, or using a CAPTCHA (an image file of a word or number unique to the entry that must be entered in a form field) can be effective. The crapflooding script only looks for mt-comments.cgi and not some unusual name you've given the script, and it doesn't know to enter a CAPTCHA or that posting to the comment form only sends the comment to preview mode.
Subscribe to this blog's feed