| 4:34 am on Mar 13, 2014 (gmt 0)|
New member here. I've been clicked bombed since 1st March.
12th March, 2,800 plus clicks, CTR 330%
11th March, 1,200 plus clicks, CTR 115%
1st March, 5,100 plus clicks, CTR 680%
Installed the anti-fraud plugin on WP to no avail.
Yes have noticed Firefox 18.0, 1024x768, Seattle, Washington, United States, Amazon.com, 54.186.xx.xx
It would be nice not to have to worry about this and just earn some money. :)
| 1:15 pm on Mar 13, 2014 (gmt 0)|
Seeing the same amazon Ip range as Netmeg's: 54.186.* blocked it as well.
Question... What is Cloud servers? Do users use it for free internet?
| 2:31 pm on Mar 13, 2014 (gmt 0)|
I wonder if anyone on the web gathered the IPs of the main offenders? It would save us time diggings into individual stats.
| 3:03 pm on Mar 13, 2014 (gmt 0)|
You can buy storage from Amazon, and you can buy computer resources from Amazon, and maybe one of those is Cloud, but I can't say I'm up on the terminology.
So far today, my reports have been *very* stable.
| 3:42 pm on Mar 13, 2014 (gmt 0)|
Just think of cloud servers as another type of hosting environment for sites, applications and data. You can actually have either shared or dedicated server packages in the cloud but the differences is we're not talking about a physical box but more of a virtual server environment where your site/app lives on many machines at the same time. Your site could be replicated across a bank of servers and served from any one at any time. It's a redundancy thing in a way. All of my sites reside in the cloud (dedicated server for one and the rest are in something closer to a shared environment). The key is that those sites are not married to any particular box. I won't call myself an expert on the cloud either but this is my general understanding of it.
| 3:50 pm on Mar 13, 2014 (gmt 0)|
Cloud is a cheap server you pay for what you use. Lots of people use them including Pinterest. So you can't just block Amazon.
Netmeg, yes stats have been more stable today.. so far. Still ups and downs but no where like before.
| 4:24 pm on Mar 13, 2014 (gmt 0)|
Thinking a bit more about the cloud aspect of this.
1. Yup, there are lots of Cloud hosting providers out there just like there are many traditional hosting companies out there. So malicious apps have many places where they can live.
2. In the cloud environment, because any one of a number of machines can serve an app, the app being run at different times, is probably naturally being served from different IP addresses because of the way the cloud works.
ADDED: You can run your app from a static IP in the cloud but I can't imagine that the operator of a malicious bot would have any desire to pin it's activities to a single IP address like that.
3. While I doubt that Pinterest has a small hosting bill, the fact is that cloud services are scalable and running a lightweight clickbot from a cloud service could probably be quite inexpensive. I'm betting, resource-wise, you could do it from the most basic of shared hosting accounts so doing in the cloud isn't going to be too much different cost wise.
It would make sense, if operating a number of bots in unison with each other, to use a centralized DB to house information like target URLs, target ads and such and just let the bots "phone home" via simple queries as wa desert rat has shown to be possible. This means the bot apps themselves don't even need a database in their own hosting space to function. It's a cheap solution and it keeps your data safe if your bot account gets summarily deleted by the host.
While to some, a clickbot seems like some highly complicated program requiring lots of resources, I contend that, in actuality, they could be very lightweight apps and operate very cheaply and with some degree of anonymity in a cloud environment given easy access to a variety of IP addresses. If you get caught, you can always move you're app to another cloud host.
Real people don't live in the cloud. They come from IP addresses provided by their ISP's, not a hosting company. Wondering if anyone can think of a bad reason for banning traffic originating from a cloud host.
| 4:33 pm on Mar 13, 2014 (gmt 0)|
(I'm not worried about Pinterest referrals, and in my case, the Amazon IPs were pretty centralized - this time.)
| 4:37 pm on Mar 13, 2014 (gmt 0)|
And here's another layer of obfuscation that a service like AWS can provide. If you live in Antarctica (for example) and want to mess with US websites, it would make you harder to find if your bot is being run from IP addresses in the US. Victimized webmasters will see you coming from the US and blocking Antarctic traffic won't do them a bit of good. It obfuscates any country-base relationship to the activity. In that respect, it's like using a country-proxy.
| 4:43 pm on Mar 13, 2014 (gmt 0)|
@netmeg -- while a referral might be from Pinterest, the user's IP address is actually what matters, right? So, people can still follow Pinterest links to your site and not be blocked because they're not using a Pinterest IP, they're using an IP provided by their ISP. The bot is accessing the Internet via it's host unlike how most humans get online. Or am I missing something here? Wouldn't be the first time.
| 4:57 pm on Mar 13, 2014 (gmt 0)|
People can follow Pinterest links, but if you block the IP range that Pinterest is using, I'm not sure if your pins will show (i.e. images from your site that people pin). I don't do much of anything in images, so I'm fairly unclear on how that all works.
| 7:25 pm on Mar 13, 2014 (gmt 0)|
Revenue is down but stats are mostly stable except for one ad unit on one page. Its CTR is 135%. I took the unit off, and so far the problem has not migrated to other pages/units.
| 10:31 pm on Mar 13, 2014 (gmt 0)|
The end of day stats have remained stable over the last couple of days for me. I removed the problem ad unit several days ago and at that time I thought it was my lowest (silly G stat errors aside) earning unit - until today. I caught another ad unit (forgotten it even existed the earnings were so small) showing £76 earnings at around mid day. Ten minutes later it has all but gone except for a few pence.
| 11:12 pm on Mar 13, 2014 (gmt 0)|
Since March 4, I've been seeing wild fluctuations. Revenue skyrockets and then it is gone 5 minutes later. Today the revenue is still there from the one ad that had the very, very high CTR. And the extra revenue is showing up in analytics. New day, new adventure.
| 12:31 am on Mar 14, 2014 (gmt 0)|
I think the mass clicks coming into the adsense now are clicks that were taken off previously but processed and believed to be real clicks.
My earnings seem to be on track, down a little for the less impressions i'm giving them and when I removed them.
IF the high dollar days stay...
I'm thinking the high amount of clicks and $ that has been coming in, some is "processed" clicks that have been re processed after the attack and put back into the account. Otherwise my adsense is WAY low.
| 12:45 am on Mar 14, 2014 (gmt 0)|
Sirius, I'm thinking the same thing. I hope you're right. *fingers crossed*
|wa desert rat|
| 12:50 am on Mar 14, 2014 (gmt 0)|
|So far today, my reports have been *very* stable. |
I blocked AWS IP range 54.186.x.x only (because that was the only one I saw) and my performance report stabilized almost immediately. I still had a click here and there taken back but nothing like before.
This problem looked to me like a botnet and I suspect that someone has found a way to exploit Windows PCs via the Amazon Cloud service. Every single AWS "user" had the same profile.
Too soon to tell for sure but it looks much better now.
| 1:49 am on Mar 14, 2014 (gmt 0)|
Wa Desert Rat, to block that range, do you actually put 54.186.x.x? Include the Xs?
|wa desert rat|
| 2:18 am on Mar 14, 2014 (gmt 0)|
|Wa Desert Rat, to block that range, do you actually put 54.186.x.x? Include the Xs? |
Every site has a different way to block. If you have access to the router it would be 126.96.36.199/16 (that would block everything up to 188.8.131.52). If you are using phpbb it would be 54.186.*.*. Some require 184.108.40.206/255.255.0.0. You can use a netmask calculator to figure it out: [jodies.de...]
| 2:28 am on Mar 14, 2014 (gmt 0)|
|Every site has a different way to block. If you have access to the router it would be 220.127.116.11/16 (that would block everything up to 18.104.22.168). If you are using phpbb it would be 54.186.*.*. Some require 22.214.171.124/255.255.0.0. You can use a netmask calculator to figure it out: [jodies.de...] |
[edited by: ember at 2:29 am (utc) on Mar 14, 2014]
| 2:28 am on Mar 14, 2014 (gmt 0)|
I haven't finished reading the enclosed link, but it contains a complete list of the Amazon AWS server addresses, for those that may want to block them.
|wa desert rat|
| 2:39 am on Mar 14, 2014 (gmt 0)|
I've been dealing with routers and firewalls so long I forgot that you can deny in the .htaccess file, too:
Deny from 126.96.36.199/16
Here is a website that deals with blocking bots: [forumpostersunion.com...]
| 1:10 pm on Mar 14, 2014 (gmt 0)|
Actually in my .htaccess file, I just put this:
# Amazon bots
deny from 54.186.
(that last period is important; the first line is a comment so I remember why I blocked it)
And it worked just fine.
BUT before you edit your .htaccess, make a backup copy, because if you mess something up, you won't be able to get to your site (other than via FTP) I speak from experience. Loooooong experience.
| 1:26 pm on Mar 14, 2014 (gmt 0)|
I'll just add for anyone using a Windows server with access to Windows Firewall (software firewall), you'll make your entry like this:
|wa desert rat|
| 2:42 pm on Mar 14, 2014 (gmt 0)|
|BUT before you edit your .htaccess, make a backup copy, because if you mess something up, you won't be able to get to your site (other than via FTP) I speak from experience. Loooooong experience. |
Amen! I have made many trips into town to visit the server room and get manual access in order to fix the mistake I made remotely. There are some typos that can mess up even FTP and SSH access.
Of course, now that I live in town my web server is hosted in California. :P
Nice catch with that tip you gave us all about watching for AWS bots. That looks like it fixed my problem (knock on wood). Unless, of course, Google managed to figure it all out at exactly the same time and it doesn't look like that's happening. Many thanks. Cooperation seems to be working. :)
| 2:49 pm on Mar 14, 2014 (gmt 0)|
|Many thanks. Cooperation seems to be working. :) |
| 3:31 pm on Mar 14, 2014 (gmt 0)|
Agreed. You all have been great, and I really appreciate all of the detective work and sharing. Things here seem to be back on track.
And I am kind of amazed that none of us got banned during this event (knock on wood). Seems like Google was giving us time to figure it out?
|wa desert rat|
| 3:39 pm on Mar 14, 2014 (gmt 0)|
First of all, there isn't ONE problem. I'm still getting inflated clicks, I'm just getting fewer of them at the moment.
I want to emphasize this so everyone understands that there are multiple systems trying to either profit from or attack Adsense and not to be complacent.
Patterns in traffic flow, user profiles, etc. require more than just one analytical tool to discover. Don't just rely on Google. I know that the Terms of Service on webmasterworld seem to imply (or maybe I just infer) that mentioning what other tools we use and how we use them is frowned upon but I think that this is misguided at best. Learning how to manage our websites seems to me to be an important issue and to deny mentioning other tools just doesn't help.
It's one thing to advertise a tool in order to increase sales or donations. But just listing the tools that we use and how we use them can only help new publishers learn how to avoid problems as well as give even old-timers a tip now and then. No one has a monopoly on these techniques.
I'd be in favor of a forum that let's us talk freely about these other analysis tools right here on webmasterworld along with a modification of the TOS to make it clear that advertising a tool is not allowed but that descriptions of how to use a tool is. After all, we talk about operating systems and browsers on this site; why not analysis tools?
| 4:19 pm on Mar 14, 2014 (gmt 0)|
|And I am kind of amazed that none of us got banned during this event (knock on wood). Seems like Google was giving us time to figure it out? |
If I found it, Google's known about it for months or years. I mean, they're the ones that told me it was a bot running through my sites in the first place.
What I think happened is between that and the change last year to show us more "up to the minute" stats, for the first time we actually got the see the roller coaster that probably has been going on all along. That's why they told me my account wasn't at risk. They probably remove clicks from Amazon AWS (and others) automatically. But they don't *prevent* them from going into the reports, they just take them out after they've landed there.
They could have given me some assistance in what to block. Maybe they figure if they did and it gets widely known, it'll just push the bots to more and different IP numbers that much faster, I dunno.
|wa desert rat|
| 4:44 pm on Mar 14, 2014 (gmt 0)|
I found one more AWS user on my site this morning which did not fit the pattern. For one thing it was listed as a Linux box with Safari and no plugins. And it was a 54.243. IP subnet.
I did not take any action; partly because it's Linux and I feel that makes the chances of it being in a botnet somewhat remote and partly because there were no invalid clicks during that time period. A linux box that is being used as a direct agent can be dangerous because of its ability to use attacking tools. But an exploited Linux box as part of a botnet is pretty rare.
I have also noticed a decline in visitors since banning that one /16 AWS subnet. I pretty much expected this. I doubt it will affect earnings because, as netmeg said, Google has certainly known all about AWS bots for a long time and have discounted their pageviews anyway.
| 4:51 pm on Mar 14, 2014 (gmt 0)|
Just following up after having had time to look through IP's I've blocked over time in my firewall. Sure enough, there are a number of Amazon AWS IP's in there which may account for why I haven't seen this type of click-bombing while others have. I block IP's all the time for various reasons so who knows what triggered me to block them but some unusual activity must have motivated me to do so. Now I'm thinking of going back and looking at my website health monitoring emails to see if I can find those IP's and see what triggered me to block them in the first place. I don't always keep those emails once I've taken action but it's worth a look. We'll see.
| This 262 message thread spans 9 pages: < < 262 ( 1 2 3  5 6 7 8 9 ) > > |