DDOS Cyber Attacks on the Forum?

[HappyGuy]

Holy cow. Are we under a DDOS attack again?

It could be PAG or it could be China or it could be all of them.

You've made a lot of enemies over the years Matrix

[Winston]

Why would PAG wanna launch a cyber attack on us? What would be his motive? What would he gain? Especially since we didn't even ban him this time? He needs us because we provide him his attention to feed his ego. Hence he doesn't have a motive.

Why can't it just be that this site just got popular? Lol. Remember, I just put HA under a secure https server, and the forum is now mobile friendly too, which removed Google penalties. So maybe those things raised our ranking and hence brought more traffic? lol. Why can't that be possible or one explanation? lol

[Winston]

Wow ever since I put this forum under a secure https server, we've had a huge increase in traffic. See below. And it's been consistent too, at between 400 and 500 users online at all times. I don't think this is a DDOS attack otherwise it'd go to 1000 and then stop. I have a theory. Maybe after becoming a secure site, a lot of users who find this forum in search engines stopped receiving that warning page that says "Warning. This site is insecure and unsafe." with a "Back to Safety" button and an "Advanced" button that you have to click in order to find the "Proceed anyway" link, which is stupid. You've all seen that warning page so I'm sure you know what I mean. Maybe before when we were on http a lot of browsers saw that and didn't proceed, so we lost a lot of traffic. But now that we are secure under https, they no longer see that warning, so they come here without obstruction. That's my theory anyway. I can't think of any better one.

Who is online
In total there are 472 users online :: 5 registered, 1 hidden and 466 guests (based on users active over the past 5 minutes)
Most users ever online was 999 on February 10th, 2020, 11:47 am

Registered users: Bing [Bot], HappyGuy, madmax, Moretorque, Winston, yick
Legend: Administrators, Expat Living and Dating VIP Forum, Global moderators, Happier Abroad Support Network

[Winston]

Ok I clicked on "Who is Online" at the bottom of the forum, and it does appear that most of the visitors here are spam bots or DDOS attack bots. For example, these three similar IP's are all from the same source:

GuestIP: 114.119.165.122 » Whois
Mozilla/5.0 (Linux; Android 7.0;) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; AspiegelBot) Viewing topics in Latin America, Mexico, Central America May 7th, 2020, 9:18 pm

GuestIP: 114.119.164.23 » Whois
Mozilla/5.0 (Linux; Android 7.0;) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; AspiegelBot) Reading topic in General Discussions May 7th, 2020, 9:18 pm

GuestIP: 114.119.166.37 » Whois
Mozilla/5.0 (Linux; Android 7.0;) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; AspiegelBot) Index page May 7th, 2020, 9:18 pm

When I click on the Whois next to their IP, they show some Chinese industrial park in Singapore owned by Huawei. See below.

Whois

% [whois.apnic.net]

% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to '114.119.128.0 - 114.119.191.255'

% Abuse contact for '114.119.128.0 - 114.119.191.255' is 'guixiaowei@huawei.com'

inetnum: 114.119.128.0 - 114.119.191.255
netname: HIPL-SG
descr: 15A Changi Business Park Central 1 Eightrium #03-03/04
country: SG
org: ORG-HIPL2-AP
admin-c: HIPL7-AP
tech-c: HIPL7-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-HIPL-SG
mnt-routes: MAINT-HIPL-SG
mnt-irt: IRT-HIPL-SG
remarks: --------------------------------------------------------
remarks: To report network abuse, please contact mnt-irt
remarks: For troubleshooting, please contact tech-c and admin-c
remarks: Report invalid contact via www.apnic.net/invalidcontact
remarks: --------------------------------------------------------
last-modified: 2019-10-15T00:59:17Z
source: APNIC

irt: IRT-HIPL-SG
address: 15A Changi Business Park Central 1 Eightrium # 03-03/04, Singapore 486035
e-mail: guixiaowei@huawei.com
abuse-mailbox: guixiaowei@huawei.com
admin-c: HIPL4-AP
tech-c: HIPL4-AP
auth: # Filtered
remarks: guixiaowei@huawei.com
remarks: guixiaowei@huawei.com was validated on 2019-11-28
mnt-by: MAINT-HIPL-SG
last-modified: 2019-11-28T02:14:37Z
source: APNIC

organisation: ORG-HIPL2-AP
org-name: HUAWEI INTERNATIONAL PTE. LTD.
country: SG
address: 15A Changi Business Park Central 1 Eightrium # 03-03/04
phone: +8675528560115
e-mail: guixiaowei@huawei.com
mnt-ref: APNIC-HM
mnt-by: APNIC-HM
last-modified: 2019-07-16T12:55:18Z
source: APNIC

role: HUAWEI INTERNATIONAL PTE LTD administrator
address: 15A Changi Business Park Central 1 Eightrium #03-03/04, Singapore 486035
country: SG
phone: +8618476637035
e-mail: heting3@huawei.com
admin-c: HIPL7-AP
tech-c: HIPL7-AP
nic-hdl: HIPL7-AP
notify: heting3@huawei.com
mnt-by: MAINT-HIPL-SG
last-modified: 2018-08-25T08:20:25Z
source: APNIC

% Information related to '114.119.128.0/18AS136907'

route: 114.119.128.0/18
origin: AS136907
descr: HUAWEI INTERNATIONAL PTE. LTD.
15A Changi Business Park Central 1 Eightrium #03-03/04
mnt-by: MAINT-HIPL-SG
last-modified: 2019-10-24T14:11:28Z
source: APNIC

% This query was served by the APNIC Whois Service version 1.88.15-47 (WHOIS-US4)

What does that mean? I thought Singapore was first world, not like China. Why would spammers and hackers be coming from there? And what is their purpose or motive? Are they trying to overload the server? If so, why not send thousands of bots? Why only 400? Is it a low level cheap attack? Or are they scraping information? If so, what kind of information? Any idea? Should I email the above email addresses and report this to them?

@momopi, @fschmidt what do you think?

[HappyGuy]

When I click on the Whois next to their IP, they show some Chinese industrial park in Singapore owned by Huawei.

What does that mean? I thought Singapore was first world, not like China. Why would spammers and hackers be coming from there? And what is their purpose or motive? Are they trying to overload the server? If so, why not send thousands of bots? Why only 400? Is it a low level cheap attack? Or are they scraping information? If so, what kind of information? Any idea? Should I email the above email addresses and report this to them?

Could be a cheap attack. It's not like they're not doing it:



I posted some videos that were anti-China (anti-Chinese government). Maybe they are monitoring this site. SerpentZA is bringing foreign attention to the Chinese Communist Party through Youtube and they don't like that.

Anti-China threads:
viewtopic.php?f=31&t=42068
viewtopic.php?f=42&t=41691
viewtopic.php?f=34&t=42107
viewtopic.php?f=25&t=42403
viewtopic.php?p=336614

"Anti-Chinese" posts:
viewtopic.php?p=336610#p336610
viewtopic.php?p=337457#p337457

I can see how posts like that would anger some government official or a Chinese nationalist.

[Winston]

Should I implement this to stop the Chinese bots?

https://www.johnlarge.co.uk/blocking-ag ... pers-bots/

@StanfordGuy you still haven't answered the question of whether or not you're behind the DDOS attacks. Why do you keep dodging the question? Does your silence imply guilt?

[Winston]

I emailed a Dutch company from where some of the bots are coming from. Here's the reply I got.

Dear Winston,

Thank you for reaching out to SEMrush!

I sincerely apologise for the inconvenience from the bots. The activity you experienced on your domain was from one of our data gathering bots. SEMrush is a digital marketing software that allows its users to view various information about their competitors from an SEO and SEM standpoint. I've contacted our QA Team and will make sure the problem is solved shortly. However, I'd like to let you know, that our bots strictly obey robots.txt, which you can use to limit and/or disallow crawling of your site.

I would suggest you take a look at the additional information here:

http://semrush.com/bot.html

And if you'd like to, you can completely stop our bot from visiting your site, by adding these lines into robots.txt:

User-agent: SemrushBot

Disallow: /

Once again, I apologise for the inconvenience, and let me know if there's anything else I can assist you with!

Best regards,

Nikolay.

Why would any of our competitors use bots to gather data here? Strange. And why from Holland? Holland is first world, not known for scams or hacking.

[Winston]

Update:

I moved the site ranking and SEO discussion posts in this thread to a new thread here:

viewtopic.php?f=1&t=42494

You can continue the discussion there.