What is the attack and why?

Started by akeelow, Jul 08, 2022, 05:28 AM

Previous topic - Next topic

akeelowTopic starter

Tell me who is in the subject, there is a site, for the last couple of months, something like DDos has been sent to it consistently once a week according to the scheme:

300-400 thousand calls from different IPs in about 5 minutes, then a break for exactly 70 minutes and all over again and so on for a day or two, then silence. again in a week.

The server, of course, hangs from the attack, but not for long, Google does not have time to catch 503 errors, but noticed another effect - in the analytics, the source of traffic from search engines completely disappears, and all traffic is counted as internal transitions. Hence the questions:

1. Why does it happen that the search engine starts to confuse the traffic source?

2. What for, someone needs it

3. There are up to 35 million hits per day, this is hardly free chatting, does someone purposefully spend money on this to spoil?

Thank you all in advance!!!


If the site has been previously hаcked, a get request may be given a job.
Anything from bitcoin counting to a DDOS attack on another site. Or, on the contrary, they feel which of the get parameters will lead to a result, a hаck.

Something along the lines of weird modules, nulled themes, nulled CMS, etc. put on the sites of the current hosting user?

I would try to dig into script activity at the time of the attack, outgoing connections, mail service activity, and so on.


An interesting situation that I have already somehow encountered. If we exclude the "order from competitors", I would consider the option of someone testing a technique for attacking sites like yours.
Also, I would try to somehow measure the load on the CPU or GPU at the time of the attack, maybe someone is mining...


Targets of attacks on sites:

Obtaining secret information (passwords, etc.)
Obtaining confidential information
Disabling web sites, deleting data
, Replacing the content of sites, placing advertising information

Web server attacks can be divided into two categories: local and global.
Local attacks are usually aimed at stealing information or intercepting control on a separate web server.
Global attacks are usually directed at several sites and aim to infect all their visitors.

The most dangerous types of network attacks
Phishing is a type of attack that begins with sending mail messages containing a link to a known resource (or simulating such a link). The design of a web page is usually copied from a reproducible resource. On the falsified page, for instance, it may be written that the bank where you have an account is conducting an action to verify access security, while being asked to enter your credit card number and PIN code.
After entering the specified information, a message is displayed that everything is in order, and after a while money disappears from the account. This scheme can be used not only for embezzlement of money. Having gained access to the user's account, the attackers thereby gain access to his confidential information.

Spoofing is one of the types of phishing. Its essence is an attack via DNS (or some other way), when a page with a known URL is replaced by an attacker's page.

Trojan Horse (Spyware) is a program that records all keystrokes on a terminal or mouse, is able to record screenshots and transmit that data to a remote host.

Spyware. This kind of software is not necessarily malicious. Some software developers embed such programs in their products to track the preferences of their customers. Unfortunately, not all of these programs are so harmless.
Some spyware programs, in accordance with their name, track the actions of the host of the machine where that program is embedded (keystrokes, visited web sites, confidential information, etc.) and transmit the results to their host. Spyware infection can be carried out traditionally through mail, IM (Instant Messaging) or as a result of visiting a compromised web site.

Attacks on web servers

Legal WEB servers are hаcked through the following types of attacks:

Malicious advertising
The method of redirecting the results of the search server
Through virtual web hosting companies
Through vulnerabilities of programs serving forums
Cross-site scripting
Cross-Site Scripting (CSS) is one of the most widespread network attacks aimed at obtaining personal data using web technologies (sometimes that type of attack is called "HTML injection").
The task is solved by executing a certain JavaScript code in the victim's browser. This results in some information contained on the victim's machine (for instance, cookies). The method does not cause immediate harm, but may precede a more serious attack.

SQL injection

SQL injection is used to attack sites working with databases. The possibility of SQL code injection occurs if unfiltered data entered by users is used in SQL queries.

Many modern websites use scripts and SQL queries to dynamically generate page content. SQL queries often use data entered by users; that can lead to a security threat, since attackers may try to inject malicious SQL code into the input data. Without proper security measures, such code can be successfully executed on the server.

XSS (cross-site scripting)
This type of attack is aimed at web sites displaying data entered by users. Instead of trying to gain control of the database by entering malicious code, an attacker tries to attack the code of the web site itself by introducing malicious segments into it.

Protection from Internet attacks:
Server-side protection:

Setting up rights on the server computer
Configuring the http Server
Careful server-side programming
Checking incoming http requests
Protection on the client:

General antivirus protection
Checking incoming http traffic
Browser Security Settings
Reasonable methods of storing passwords and confidential data

Zhess Flatcher

It looks like you have either not encountered or rarely encountered DDoS attacks before. Your story is a prime example of a DDoS attack. I won't describe what types of attack, but I'll say that traffic is not always obvious even for Google - it goes through proxy channels and can appear both through a direct link and through an advertising campaign. To avoid further server freezes, you need to use a good firewall. Cloud services with filters do this task best of all.


Most likely these are your competitors and in this way they want to harm you. You can google about protection against DDoS attacks on the Internet, useful thing in such cases. In addition, it is desirable to reduce the number of links to external resources, because they create an additional load on the server.