SOLVED: Automated phpBB Forum Spam Post And Registration Causing DDoS Attacks

[s]

Update history:

• 10.9.2025: Added equal sign after matching SID to prevent false positives. Thank you Stoker for pointing this out.
• 14.9.2025: Instead of forbidden (F=403), return 422 "Unprocessable Content" error which is more descriptive in Apache. Unfortunately Apache does not offer cutting the connection (444) like NGINX does.

Forums use databases and session handling which require many computations and eat up a lot of resources. Normally bots, crawlers and spiders can be identified from User Agent strings. This allows forum administrators to detect automated scripts and switch off session handling for them to reduce the load. This helps tremendously, but only if bots declare themselves.

Undeclared automated forum spamming for backlinks started in this forum a few weeks ago. CPU usage and load peaked because of the database server handling a lot of automated request. Finally the server became unresponsive until the attackers were blocked on the web server and operating system level. Banning IP addresses and users does not help because as long as spammers can access the forum as they will cause excessive load with huge amount of requests even if they are banned or blocked. HTTP requests execute many php scripts and database queries which will quickly overload the sql server, forum software, web server, operating system and finally hosting. There has been hundreds of request per second and thousands of lingering connections. Script kiddies are writing malware like xrumer/xevil to automatically register and post spam to phpBB forums. Those scripts rely on automated moderation or lack of moderation. Posts, topics and replies are irrelevant to the subject and contain links. These spammers desire back links to search engine ranking and get more traffic. Therefore the easiest way to stop forum spam is manual moderation of posts, signatures and registrations every time anything changes. Preventing posting links may help, too. However, this will not solve the biggest problem caused by aggressive forum posting scripts that turn quickly into DDoS attacks eating all traffic quota, CPU time, and filling up memory. Especially on servers with multiple websites, they can take down the whole server and all websites. Shared hosting services are likely to address the problem by just shutting down the forum without addressing the real issue: aggressive spam that turned into DDoS attack.

How to block the attackers?

Here is a universal fix to block malicious spam attacks against phpBB forum software. Before you apply this fix, add to phpBB bot configuration bots, crawlers and spiders to make sure they will not be assigned SIDs.

NGINX

Add the following configuration to the file

/etc/nginx/sites-available/YOUR_WEBSITE

Code: Select all

map $http_user_agent $denyagent {
    default 1;
  ~*bot 0;
  ~*crawler 0;
  ~*spider 0;
}

server {
        set $botdeny "";

        if ($denyagent) {
           set $botdeny X;
        }
        if ($http_referer = "") {
           set $botdeny "${botdeny}X";
        }
        if ($args ~ "sid=") {
           set $botdeny "${botdeny}X";
        }
        if ($botdeny = XXX) {
          return 444;
        }
}

Apache

Add the following configuration to the file

YOUR_WEBSITE_ROOT_DIRECTORY/.htaccess

Code: Select all

<IfModule mod_rewrite.c>
      RewriteCond %{HTTP_USER_AGENT} !(bot|crawler|spider) [NC]
      RewriteCond %{HTTP_REFERER} ^$
      RewriteCond %{QUERY_STRING} (sid=) [NC]
      RewriteRule ^(.*)$ - [R=422,L]
</IfModule>

Special thanks to Smirftsch for testing and correcting the Apache fix.

Re-starting NGINX to apply configuration changes

After that you need to reload your NGINX configs so that the changes take effect. If the reload fails, you will have to look for the errors from the logs. If your configs have errors when you start or restart the server, NGINX will stop working until you fix the errors. I personally found that annoying and wrote the following script to first test that the configs are OK before reloading NGINX and if not, it will show immediately you the errors in configurations.

Code: Select all

#!/bin/bash
#
# Test NGINX configuration and reload NGINX them if configuration is OK
# Public domain, 2025

# Functions
ok() { echo -e '\e[32m'$1'\e[m'; } # Green
die() {
    echo -e '\e[1;31m'$1'\e[m'
    exit 1
}

# Sanity check
[ $(id -g) != "0" ] && die "Script must be run as ROOT."
[ $# != "0" ] && die "Usage: $(basename $0)"

# Test NGINX configuration
/usr/sbin/nginx -t
if [[ $? == 0 ]]; then
  ok "Testing NGINX configuration"
else
  die "Testing NGINX configuration failed, error $?"
fi

# Reload NGINX
/usr/bin/systemctl reload nginx.service
if [[ $? == 0 ]]; then
  ok "Reloading NGINX configuration"
else
  die "Reloading NGINX configuration failed, error $?"
fi

ok "NGINX reloaded, all good"

How to find out where the attacks are coming from?

If you have web server access logging on, you can find the sources from those logs. I personally prefer to have logging disabled to guarantee absolute privacy and reduce web server load. You can find from the access log the sources of traffic, frequency of visits as well as User-Agent string. If you count the number of requests from each IP address excluding legitimate bots who identify themselves, you will find out the sources. Those requests that try post to your forum, login, register and often clear cookies, are the most promising. When there are hundreds or thousands of request coming every hour, those can not originate from users so they must be caused by malicious scripts.

Here are some simple *nix commands for NGINX web server you can use to find out the sources.

Find how many times the top 20 IP addresses have accessed forum:

Code: Select all

awk '{print $1}' YOUR_HTTP_ACCESS_LOG | sort | uniq -c | sort -nr | head -20

The same query but with User Agent strings that do not announce themselves as bots:

Code: Select all

grep -i  -Ev 'bot|spider|crawler' YOUR_HTTP_ACCESS_LOG |  awk -F' - |\"' '{print $1" - "$7}'  | sort | uniq -c | sort -nr | head -20

The same but with only those trying to post, register, login or delete cookies:

Code: Select all

grep -e posting -e registration -e delete_cookies -e login YOUR_HTTP_ACCESS_LOG |  awk -F' - |\"' '{print $1" - "$7}'  | sort | uniq -c | sort -nr | head -20

Blocking IP addresses is futile

You can block IP addresses in your web server configuration if you want. The following examples are for blocking malicious IP addresses, but that is futile as the attackers are using automated proxy lists that grow all the time. When you have managed to block some IP addresses, there are new already coming taking your forum down.

The principle is universal and available in all web servers. The following examples are written for NGINX. You could deny access from your web server, but that would cause your web server to send 403 error page which would still generate traffic and eat your server's resources. Another, smarter option is just to cut the connection immediate by returning error 444 "No Response". This will cut the connection immediately. Alternatively you can block those IP addresses from your firewall.

In NGINX you can do this by editing your web server configuration file:

/etc/nginx/sites-available/YOUR_WEBSITE

Add to the beginning of the configuration file a GEO block like this with malicious IP addresses:

Code: Select all

geo $block_spambots {
    default         0;
    47.236.134.202 1; # agressive DDoS forum posting bot
    47.82.0.0/16 1; # agressive DDoS forum posting bot
    47.79.0.0/16 1; # agressive DDoS forum posting bot
    87.120.166.175 1; # forum registration bot
    147.45.66.176 1; # forum registration bot
    3.1.218.249 1;   # a bot searching for wordpress vulnerabilities
    172.173.151.173 1; # a bot trying to run cron
}

Then go the server section that starts with "server {" and add there this configuration:

Code: Select all

if ($block_spambots) {
    return '444';
}

Feel free to use and share it, I hereby release everything into the public domain.

Happy hacking,

Santeri

[s]

Here is another forum suffering from the same attack. I found a universal fix that does not require blocking any IPs, bots or countries. I am currently testing it on this forum. So far so good.

Cheers,

s

[s]

These bots leave the TCP connection open. I had over 1000 connections just waiting. To mitigate the issue reminding of Slowloris attack, I made this fix: SOLVED: How to disable tcp-keepalive persistently in Debian?

To make it even more effective, you should add this configuration to your website's nginx config file:

Code: Select all

reset_timedout_connection on;

When this setting is on, NGINX will cut the connections immediately after returning 444. Both fixes together solve the lingering connection issue which may starve your TCP sockets making your server inaccessible.

I also find a universal and permanent fix to block all the current spam traffic without resorting to blocking individual IPs, IP ranges, or countries, or using services like Cloudflare which I do not trust. If you are interested, reply to this post with your contact or register to my forum for sending private messages, and I will help you to stop the bots once and for all. The fix is so simple and therefore too easy to workaround so I will not release it publicly at least for now.

Happy hacking,

s

[F*ckCloudflare]

The only one benefiting from this is Cloudflare. Fuck them.

[PhishingBuster]

The man behind the attacks:

[Smirftsch]

Hey S,

would love to answer you in the PM, but seems you've disabled that

Very nice to talk with you, thanks for your help!

Currently running a shared server on Apache, can switch it easily to nginx but need my hosters assistence then, since I can't configure this thing directly and my main page is running on processwire which needs some adjustments to run on it.
Shouldn't be much of a problem if that's needed, but may cause some delay.

I'm running a community page for Unreal1 & Unreal Tournament and it needs only seconds until the number of guests is going into the thousands and finally blowing the server then with load.

I am not entirely sure if that is the same issue or if this issue is covered with your fix as well, but it very much sounds alike.

[s]

would love to answer you in the PM, but seems you've disabled that

Oh damn. I enabled it very recently when people started contacting me about forum fixes but forgot to enable it to my own account.

Feel free to email at forum@webseodesigners.com and I will make you sure will get the fix, OK?

Currently running a shared server on Apache, can switch it easily to nginx but need my hosters assistence then, since I can't configure this thing directly and my main page is running on processwire which needs some adjustments to run on it.
Shouldn't be much of a problem if that's needed, but may cause some delay.

OK, it's not a problem. Shared hosting makes it a bigger issue as those damn spammers take the whole web server down and all the websites are affected. Therefore hosting providers take the easy way to fix the issue and shut forums down instead of fixing their web servers.

On top of blocking the spammers by dropping their connections, I also made a fail safe to the forum which takes it offline if the load is so high that it threatens the other websites.

The biggest issue is mysql server which overloads the server quickly when spam scripts start initiating hundreds of request per second.

The fix works with both apache and nginx, but requires direct access to configuration files.

I am not entirely sure if that is the same issue or if this issue is covered with your fix as well, but it very much sounds alike.

It is exactly the same issue.

Clueless Vietnamese script kiddies running Russian malware xrumer/xevil with too agressive settings turned spamming into DDoS attacks against phpBB forums. There are thousands of forums suffering from attacks and many of have shut down or started using cloudflare.

Cheers,

Santeri

[s]

would love to answer you in the PM, but seems you've disabled that

My bad, now it is enabled. I'm happy that you got your forum back up and running!

Cheers,

Santeri

[s]

I released the fix and added it to the original post. There is no need to contact me any more for the fix unless you need help applying it. Also, if it does not work for you for some reason, I can help you to fix the issues. Thank you.

[Guest]

Thanks you are a life saver.