homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / Website Analytics - Tracking and Logging
Forum Library, Charter, Moderators: Receptional & mademetop

Website Analytics - Tracking and Logging Forum

This 354 message thread spans 12 pages: < < 354 ( 1 2 3 4 5 6 [7] 8 9 10 11 12 > >     
Logs Show Surge, but Not Human?

 9:23 pm on Feb 21, 2012 (gmt 0)

On one site I work with, I've seen traffic go from 10K visits/day to 40K. The additional traffic looks human at first glance - it is captured by Google Analytics, It comes from diverse consumer IPs in the US and Europe (but not Asia), and the bounce rate is high but one out of ten visits or so loads another page.

On the non-human side, we have all of the traffic coming with no referrer, and it is all focused on a few pages that are hardly viral linkbait and would get one or two views on a good day. It's all IE (spread among 6 - 9), and a range of screen resolutions that look unusually aged (e.g., 1024x768).

Anecdotally, I've heard of a few other sites seeing this kind of traffic, but nobody knows what the purpose might be. It's not scraping, as it's the same pages that get hit. It's not intense enough to be an attack to take the site down, nor is the site likely to be the target of miscreants.

The level of traffic has gone up and down, but it's still happening.

Are any of your sites seeing this, and do you have any theories?

Any thoughts on screening this out of Analytics? It totally blows up time period comparisons.



 2:09 pm on Mar 10, 2012 (gmt 0)

Dunno; haven't heard of that as a footprint yet. I'm not currently running AdWords on any of my personal sites.


 2:15 pm on Mar 10, 2012 (gmt 0)

No AdWords on my site that's getting hit. No AdSense on the pages getting hit, either. Some AdSense on other pages, hardly enough volume to be attack-worthy.


 2:23 pm on Mar 10, 2012 (gmt 0)

I'm not using AdWords, never have.


 5:14 pm on Mar 11, 2012 (gmt 0)

@Seb7 - not sure why but your IE blocking code doesn't appear to be working on my site (I believe I've copied it correctly and put it in the right place).

Perhaps it's just a problem unique to my setup but if anyone has any alternative solutions please post it here or send me a sticky - thanks. In the meantime I'll check through previous posts to see if there's anything else I can try.


 11:02 pm on Mar 11, 2012 (gmt 0)

But that IE code blocks direct traffic with no referrer right? Doesn't that mean that if someone types in the URL in their browser that they cant get to the site directly? If so I cant use that since they are on my home page.


 11:03 am on Mar 12, 2012 (gmt 0)

I just noticed after scanning my log files that since this zombie attack started the number of hits coming from HTTrack has also increased dramatically. I have HTTrack in my ban list

RewriteCond %{HTTP_USER_AGENT} ^HTTrack [NC,OR]

But this no longer seems to be working in stopping the traffic. I also found this forum post which I thought was interesting given the date, check for yourself:-


Read the 5th post by ApplianceJunk. That sounds very like the same time as this and he is also seeing the HTTrack traffic that I am as well.

Any thoughts on this?


 1:51 pm on Mar 12, 2012 (gmt 0)

The HTTrack thing looks like something entirely different.

I would expect that something that wanted to copy my website would do more than hit the home page thousands of times per day.


 2:11 pm on Mar 12, 2012 (gmt 0)

I agree that it does not make sense and would not appear to be human, that said it does fire up at the same date and is responsible for many many hits. Could the HTTrack software have been infected or malused?


 2:35 pm on Mar 12, 2012 (gmt 0)

hottrout, just to clarify, are you seeing a massive increase in both HTTrack traffic *and* other zombie traffic which started at the same time?


 2:38 pm on Mar 12, 2012 (gmt 0)

I do seem to be. That said I am in the process of blocking some German IP's that would appear to be using HTTrack to download the site. It may just be a coincidence.

Note : I have also came across an increased number of browsers with bsalsa running on them. Again this might be nothing, or it might be a havk relating to bsalsa's already crap software.


 4:42 pm on Mar 12, 2012 (gmt 0)

RewriteCond %{HTTP_USER_AGENT} ^HTTrack [NC,OR]

But this no longer seems to be working in stopping the traffic.

With the opening anchor, you're only blocking UAs that begin with "HTTrack". Most of them don't.


 4:57 pm on Mar 12, 2012 (gmt 0)


(Dont want to hijack this excellent thread but) I changed the rule to this

RewriteCond %{HTTP_USER_AGENT} "HTTrack" [NC,OR]


 8:47 am on Mar 13, 2012 (gmt 0)

Grrrr, the novelty of beig caught up in this is starting to wear very thin, especially as we're just embarking on a major push to sell CPM ads to advertisers. Does anyone have any further news? Any feedback from ISPs to whom complaints have been sent? Anything?


 12:25 pm on Mar 13, 2012 (gmt 0)

Nope. My bad traffic has dropped down to about a third of what it was, but that's about it.

I'm telling you - this thing can't be killed.


 8:18 pm on Mar 13, 2012 (gmt 0)

Thank goodness for Webmaster World - it's great to find this thread:

Just doing last months stats, and found one of my sites hit by this too:

Started on 21st Feb, home page goes from getting < 200 landings per day, peaked with nearly 8,000 landings on 22nd Feb - declined since then - held fairly steady last week at 2,000 landings per day - early signs of further decline to 1,000 landings per day yesterday.

My "visitors" are using IE, hitting the home page and bouncing, and originate in North America - so pretty typical footprint.

Has anyone found any other discussions about this problem on the web? It would be interesting to know how widespread it is.

I'll see if my hosting company has any ideas - but hopefully if Google (and Microsoft) are aware of the problem then a solution will appear soon...


 12:29 am on Mar 14, 2012 (gmt 0)

yea that sounds very close to my situation - started on Feb 21 with huge spike, and it's been slowly tapering down.


 3:11 pm on Mar 14, 2012 (gmt 0)

7_Driver, the nature of your traffic and stats mirror mine very closely, although I'm not seeing the same decline over the past day or so (the numbers are down from 9,000 to around 3,000 but holding steady).

Not sure when this is going to end so I've finally decided to pull the plug on AdSense on the page in question, for me it's not worth the risk (shame the Analytics figures are still being skewed though).


 3:45 pm on Mar 14, 2012 (gmt 0)

In response to a blog post and some direct tweets, I heard back from Compuware. They said they had searched for my URL, site name, etc., and could find nothing related in their activity. They also said that larger scale tests don't go through their network but rather come from their own IP. (Not sure what the point of having 150K slave machines is, if that's the case.)

Has anyone filed an ISP abuse complaint yet? That seems like my next step.


 4:00 pm on Mar 14, 2012 (gmt 0)

Nope. Haven't had time, coming up on my busy season.


 3:22 am on Mar 23, 2012 (gmt 0)

Many of you have pointed to a date of Feb 21 as a start date for this attack and the impression I get as I read this thread is that there are a lot of people affected by this so you would expect to see an upswing in Internet traffic from that date ... even just a small one.

So I had a look at Internet traffic reports and around the 21st/22nd there was actually a marked decrease in Internet traffic.

From about the 23rd traffic levels seemed to return to what they had been prior to the 21st.

I also spoke to a sysadmin for a high level network of sites that usually attract attacks like this one like honey attracts bees and he can see no indication of any sort of attack across his sites like you guys are seeing.

What he did see though was a drop in traffic on 21/22Feb and then things have returned to normal.


 2:15 pm on Mar 23, 2012 (gmt 0)

Just to bump and update this thread. The initial jump in hits has leveled off now for several days but it is approx 30% higher than before with the bouncerate also up approx 30%.

The figures have not returned to normal levels yet and they would appear to not be going to either.

What are other people seeing?


 2:27 pm on Mar 23, 2012 (gmt 0)

My bot traffic remains high but now with very little day to day variation, hottrout. Main impact is on analytics, but if these guys dialed up the volume it could have a big impact.


 2:42 pm on Mar 23, 2012 (gmt 0)

I agree, it is making a nonsense out of my GA stats but having no impact on my server performance etc. I really need to get a fix to this or my GA info (that i use and like a lot) will be of no use.


 9:26 pm on Mar 23, 2012 (gmt 0)

Ditto what rogerd said.

After the initial spike my bot traffic levelled off (still at a fairly high level) around Feb 27th and has remained there since.


 9:46 pm on Mar 23, 2012 (gmt 0)

ken_b - 11:47 am on Mar 7, 2012 (utc -5)
At the peak my homepage was apparently getting 6.000+ visits from this thing. That's been down to about 1,200 for a few days, but it might be inching up again, not sure yet.

Still pretty much the same as this previous post for me. Just wobbling up and down around that 1,200 - 1,300 number.

Aside from the increased traffic to my homepage the biggest affect is on my Bounce Rate, which is way up. It's like 93% for the home page now.

So, if Bounce is a quality factor, could that affect me?

I use Google Analytics, and I really want to keep it on the homepage so I can easily track this thing.

But maybe that's not a god idea?



 12:38 pm on Mar 25, 2012 (gmt 0)

For those using Google Analytics, if you select the following options from the Audience tab:

Audience -> Technology -> Network

(possibly in combination with specifying a landing page as a secondary dimension if necessary), who do you see as the biggest networks sending this bot traffic? I see various networks but the worst appear to be:

road runner holdco llc
comcast cable communications inc.

followed by

verizon online llc
at&t internet services

Thereafter there is a third tier of other companies. I'm just curious if other people are seeing the same source networks and if so, has an attempt been made to contact their support/abuse departments?


 3:28 pm on Mar 25, 2012 (gmt 0)

Highest to lowest



 3:52 pm on Mar 25, 2012 (gmt 0)

There has been no fluxuation for my traffic since March 10th. I have been getting almost exactly 1000 of these nonsense hits a day. For awhile, it was gone, but then returned a few days later.

Highest to Lowest...


...and of course many others, but those range in the hundreds (at least).


 5:04 pm on Mar 26, 2012 (gmt 0)

Has anyone forwarded their list of "attacking IPs by day" to any ISP?

My understanding is the ISPs can track IPs by day to accounts.

Unless and until people undertake a concerted effort to report the "attack" the ISPs will likely enjoy the luxury of doing nothing, at no risk.

Absent participation of the ISPs in slaying the zombie machines there appears to be no stopping this. So, the answer is to hold the ISPs to account.

Whilst your making your reports to the ISPs why not send a copy of your report/complaint to your legislative rep with a request that their staff draft legislation compelling ISPs to address the existance of zombies operating on their networks?

Honestly, this needs to be addressed before attacks within your nation, on your nation, begin to occur from zombie machines within the nation. Cybersecurity defense won't be a matter of severing outside the nation connections if this issue is allowed to run wild.

Maybe it will only take the threat of legislation or regulation for the ISPs to begin acting in a responsible, self-regulating, self-policing manner.


 5:26 pm on Mar 26, 2012 (gmt 0)

If I look at stats the month previous leading up to Feb 20 (i.e. before the 'event') I see a fairly even spread across :-

ntt communications corp
road runner
japan network

if I look at traffic from 21st Feb (start date) to 29th Feb (date it leveled off to approx 30%) I see this :-

road runner 10% of total
comcast 10% of total

Previously road runner or comcast only had 3-4% of total. In other words the traffic sources were more evenly spaced.

This might mean feck all but I though I would throw it out there.


 9:22 pm on Mar 26, 2012 (gmt 0)

I guess it's not too surprising (given their subscriber numbers) but it's useful to know that road runner and comcast are topping a number of people's lists. I'm going to start with these two and see what response I get from their abuse contacts.

This 354 message thread spans 12 pages: < < 354 ( 1 2 3 4 5 6 [7] 8 9 10 11 12 > >
Global Options:
 top home search open messages active posts  

Home / Forums Index / WebmasterWorld / Website Analytics - Tracking and Logging
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved