Distributed Attack - Crawler, Spider, and User Agent ID forum at WebmasterWorld - WebmasterWorld

Forum Moderators: open

Message Too Old, No Replies

Distributed Attack

Mac Chrome/103.0.5060.134

Pfui

4:36 pm on Dec 11, 2022 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

I'm not sure how to describe what happened last evening -- other than calling it creepy -- so I'll start with the UA that apparently was 'new' in June, 2022:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36

(Presumably the UA was spoofed but upon discovering the attack, I blocked it anyway. Given the sheer number of hits, I thought some of you might want to, too. Zero hits with it prior to the attack; none since.)

In a Nutshell:

Out of the blue, the main site on our server was hit by 433 unique Hosts and IPs using that exact same UA in a 30-minute period. The total number of hits was 484 because a few, a very, very few, hit more than a single file. Normally on a Saturday evening, we might see, oh, 20 'normal' browsing visitors in 30 minutes.

Details, Details:

- All files hit were html but for a couple of CGIs and plain txt files. No graphics, PDFs, etc.
- All hits were GETs.
- Many of the hits were from already-blocked Hosts and IPs and those hits resulted in 403s, to no avail.
- Hostnames included devices in Brazil, Bulgaria, Germany, Greece, Hungary, Japan, Pakistan, Poland, Thailand, etc. -- a lot of usual suspects. But too many hits came from US-based Hosts including: AT&T (sbcglobal) Bell.ca, Comcast, Cox, Qwest, RCN (Canada), Roadrunner, Verizon, etc.
- IP addresses were too numerous to sort numerically, let alone lookup!

Thoughts?

blend27

8:47 pm on Feb 4, 2023 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Late Thoughts..

1. Same UA thingy: is it just released(yet), UA?
- Lock it down on UA Level for now/whenever/wait a bit if you have NN Requests using it in N Span time, increment time with each same UA hit?

2. UA(new or not) used from ranges outside of your habitat?

Ask 'Hi', with Captcha
- Is IP Range Based?
- Country Based(no one gets FF 6 update now in Mozambique all at once along with SBCGlobal or Roadrunner - mip, mip)?
- RIR based?

Most UA volume traffic is based on an update released by browser company, vary & slow.

...Thoughts...

lucy24

10:57 pm on Feb 4, 2023 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Yuk. I hate those randomized robots that can only be identified by shared UA.

If you're blocking the UA, make sure you get the whole string. Otherwise you're liable to hit

Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/103.0.5060.134 Safari/537.36

--a possibility that had truly not occurred to me until I searched logs for �Chrome/103.0.5060.134� alone. Looks like they started using it last August.

Memo to self: Update online version of At Home with the Robots, because I hadn't noticed this change.

Sgt_Kickaxe

11:24 pm on Feb 4, 2023 (gmt 0)

Thoughts?

System testing by spy balloons? Lol...

- spotted over Sendai, Japan, on June 17, 2020
- spotted over Port Blair, India, on Jan. 6, 2022
- spotted over the coast of Hawaii on Feb. 16, 2022
- spotted over Pangasinan, Phillippines, on Dec. 18, 2022
- spotted over Canada, the US and Latin America last week

...all with the same array below them.

Pfui

5:45 am on Feb 5, 2023 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Thanks for your comments, all. FWIW, I immediately blocked Chrome/103.0.5060.134 and thankfully, subsequent hits have been inconsequential (like four or five, not 400-plus). Still in clusters from all over the map at the same time, but nothing, NOTHING like the first assault.

FWIW redux, all 403s get a page where a real person can see info and seek access if desired. None of the 103.0.5060.134s have ventured beyond 403. (Bingbot has other ways in.)

blend27

11:42 am on Feb 5, 2023 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

-- 103.0.5060.134 - Bing!

Some sharp shooting over here!

I just realized that I was missing a new(for me) IP Range for Bingbot: 52.167.144.0/24

not2easy

1:13 pm on Feb 5, 2023 (gmt 0)

WebmasterWorld Administrator

10+ Year Member

Top Contributors Of The Month

These Bings were shared somewhere around here about 6 months ago:

13.66.139.0/24
13.66.144.0/24
13.67.10.16/28
13.69.66.240/28
13.71.172.224/28
20.36.108.32/28
20.43.120.16/28
20.125.163.80/28
40.77.167.0/24
40.79.131.208/28
40.79.186.176/28
51.8.235.176/28
51.105.67.0/28
52.167.144.0/24
52.231.148.0/28
139.217.52.0/28
157.55.39.0/24
191.233.204.224/28
207.46.13.0/24

Pfui

5:15 pm on Feb 5, 2023 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Speaking of Bing bots...

Current: "Overview of Bing crawlers (user agents)"
[bing.com...]

April, 2022: Announcing user-agent change for Bing crawler bingbot
[blogs.bing.com...]

lucy24

6:09 pm on Feb 5, 2023 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

<topic drift>

By regularly updating our web page rendering engine to the most recent stable version of Microsoft Edge we will be making the above user agent strings evergreen. In the strings above, "W.X.Y.Z" would be substituted with the latest Microsoft Edge version we're using, such as �100.0.4896.127".

Now, if someone can explain the connection between Edge (which is not named in the new UA string) and Chrome (as in Chrome/w.x.y.z) I would be exceedingly grateful.

Incidentally, in spite of the blahblah about regular updates, I find only two versions of the new UA: one with Chrome/100.something in May-July, and then the one with Chrome/103.something from August on. And the part about discontinuing the �historical user-agent� by fall 2022 is ... darn, what�s the word? ... a barefaced lie. Oops, that is, I meant to say factually incorrect.

In the meantime, I hastened to add !lying_bot to the rules for bingbot. (This environmental variable is not used for access control, but is one factor in determining which robots.txt to serve.) Most robots.txt requests continue to come from the old UA, but did they really not notice that they're being served two different sets of rules?
</td>

[edited by: lucy24 at 6:12 pm (utc) on Feb 5, 2023]

blend27

6:11 pm on Feb 5, 2023 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

...and if you really into /28 /29 << MSFT AZURE! ----- [microsoft.com...]