PlanetZ Forums Update & Bot trafffic

[nebelfuerst]

No matter if it's someone's herd of bots or even payed accounts, attacks like these also bring some effort for the attacker. So there usually is some goal, to get some payoff. As there's no shop with wallets, no data for identity fraud, I don't see a monetary motivation. Even if someone hates all scopers, it's hard to believe he keeps up attacks over such a long time.
Many years ago, some people scanned IPs "close" to an interesting site (e.g. webshops, pr0n) , to find a way to access its data by some backdoor.
Is it possible, that your site is just part of an "interesting IP-range" ?
Do the "knocked ports" show a pattern, which adresses a certain type of host ?

[valis]

There are only 4 ip addresses for all 40 accounts. Its domain specific to the point where it’s only the forums subdomain, not even the root domain

I also still host some very old gaming forums that have been around just as long if not longer, they do not get any of this traffic. Same forum software so it’s not people trying to hack the forum because of the type of forum etc.

Believe me, it’s been going on long enough that I’ve certainly come to some conclusions and it’s not random.

[valis]

Also, you can check the number of people currently listed online, and look at the guests. Some portion of the attacks are establishing a full https connection (like .01% or less) and you'll see anywhere from 400-1200 listed as online. I reset the logs so it doesn't show in the graph for this year (posted earlier) but in Jan/Feb the previous round of attacks was reaching 6000+ bots and so you'll see "Most users ever online was 9652 on 01 Feb 2025 16:05". That's when I implemented cloudflare free.

Some are simply doorknocks, some are port tests, some test normal login urls. And almost all of them come from the same ip ranges in the same datacenters (the pwned XP/Win98 machines in Eastern EU, Russia, Africa etc are always there and easily spotted in logs due to the randomness they generate, and never bog the server down because they're just doing their little things).

Also, thanks to two helpful donations we have cloudflare's higher tier incoming, I'll handle that over the weekend. But you should already see the load lessened, and that took banning ranges like (feel free to look up the hosting facilities):

60.28.204.0/24
(60.28.204.0 - 60.28.204.255)

112.0.0.0/10
(112.0.0.0 - 112.63.255.255)

42.80.0.0/15
(42.80.0.0 - 42.81.255.255)

60.28.204.0/24
(60.28.204.0 - 60.28.204.255)

154.8.128.0/17
(154.8.128.0 - 154.8.255.255)

And many many more. And yet that still causes overages on the hosting slot for all of my domains, as mentioned. So I need to attend to that with the paid cloudflare to keep hosting costs in check for bandwidth, even though the forums are already more responsive with those firewall blocks.

In response to your questions, we have effectively documented what mitigating a planned attack on a virtually hosted domain (on my VPS) looks like in the current era. Oh, and I never posted about this at length before because it's probable that the attacker can read this.

[valis]

Also note we have entered a new era for attacks: https://www.anthropic.com/news/disrupting-AI-espionage

[Gordon Gekko]

Ah, i smell a bit of marketing in that link
But yeah it becomes easier
May the force be with you valis

[valis]

And also with you

Also, as I’m familiar with the topic and the link, the issue was that people who are now vibecoding are vibecoding exploits and automating bot attacks. Which means things are going to continue to scale on the cyber security front as AI accelerates everything.

On the flipside, I already experimented with converting the database here to several formats, relevant to machine learning, including a vector database format that worked very well to preserve the threaded nature of the conversation while surfacing correct answers.