• Home
  • Get help
  • Ask a question
Last post 1 hour 6 min ago
Posts last week 81
Average response time last week 4 hours 29 min
All time posts 67934
All time tickets 10501
All time avg. posts per day 20
Collected over 9 years 1 months 0 days and updated each hour automatically. Last updated 2024-05-07 16:18 UTC

Helpdesk is open from Monday through Friday CET

Please create an (free) account to post any question in the support area.
Please check the development versions area. Look at the changelog, maybe your specific problem has been resolved already!
All tickets are private and they cannot be viewed by anyone. We have made public only a few tickets that we found helpful, after removing private information from them.

#1225 – anti flooding function in sh404sef

Posted in ‘sh404SEF’
This is a public ticket. Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Thursday, 29 October 2015 08:20 UTC
syrah
 Hello,

I am using the anti-flooding function from sh404sef and for exemple for october I got (flooding) 4660 blocked attacks (in the stat it says 4660 100.0 % 006.8 /h )
So this function is doing a great job but since several months I started getting more and more 403 errors from google and bing webmaster tools which is not a very good sign. Does this function can make the difference between a real attack (bad guy who wants my web site down) and the search engine (good guy like google or bing) ?

So I am wondering If the 403 error are a result of the anti flooding or not.

actually the configuration is :
anti-flood control 10
max number of requests 10

My questions are do you have other user of anti flood who got the same issue and do you know if I increase the number in the configuration panel the problem would be solved ? and in that case what number do you reckon ?
My last question : Do you think it is a bad or good idea that I turn off the anti flooding ?

Thanks a lot for your advises and help
V.
Thursday, 29 October 2015 09:00 UTC
wb_weeblr
Hi

Does this function can make the difference between a real attack (bad guy who wants my web site down) and the search engine (good guy like google or bing) ?
No, this function is an anti-flood, there's little way to efficiently distinguish from valid or invalid requests, we only look at the rate of requests.

Search engines normally don't flood you, they would only do a few requests per day and should definitely not be subject to this protection.

You can look in the log files (in/logs/sh404sef/sec) to find about requests that were blocked.

Then you can relax those settings a bit depending on what you find.

Rgds
 
Thursday, 29 October 2015 10:30 UTC
syrah
Hello,

Thanks for your reply.
I did as you said, I check the log file but I would need a little bit of your help if you are ok.

Could you just explain me the different between those 3 lines :

Line 1: 2015-10-01 21:09:40 Flooding 5.178.87.166 - Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1 GET /xxxx/xxxx 13 requests in less than 10 seconds (max = 10)[I have 479 line of flooding with this IP]

Line 2: 2015-10-26 19:48:59 Flooding 157.55.39.83 - Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) GET /xxxx/vie-couple/temoignage-difference-desir 21 requests in less than 10 seconds (max = 10)

Line 3: 2015-10-04 09:09:22 Flooding 207.241.128.40 - - GET /wp-content/plugins/revslider/temp/update_extract/revslider/configs.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 23 requests in less than 10 seconds (max = 10) [I have 1171 lines of flooding with this IP]

There is no user-agent in the third line does this mean it is a human behind the flooding?

The line 1 and 2 have a user agent does this mean it only a search engine ?
Thanks
V
Edited by wb_cati on Monday, 15 February 2016 18:54 UTC
Thursday, 29 October 2015 10:47 UTC
wb_weeblr
Hi

User-agent or referrer are just field made up by the requester. They are no indication of the actual source of a request. I can make a request to your site with Bing or Google user agent, that's just a setting.

The first and last fine:
- the IP address in the first line doesn't match any bot, it's actually doesn't have a domain associated with it.
- the last one is an attempt to hack your site - with a Wordpress attack!
(this is how they work. They don't care what your site is Joomla, wordpress, anything else...). It's more efficient for them to launch the attack, and see if it works, than first identify your site as a Joomla one and then send a joomla-specific attack

However, the second one is indeed a request from a valid IP address of Bing. It's very suprising they crawl so fast (21 requests in 10 seconds), but it happens, so you should relax your flooding settings. For instance, try 30 requests in 10 seconds and monitor the logs for errors.

It means you will accepts some requests from the other sources, but there's nothing we can do about that. Those requests are not dangerous (Wordpress!), their only effect is to waste your server resources.

Rgds
 
Thursday, 29 October 2015 11:11 UTC
syrah
Thanks a lot for the explanation. It helped me a lot.

Have a good day.
V.

Ps I am closing this ticket
This ticket is closed, therefore read-only. You can no longer reply to it. If you need to provide more information, please open a new ticket and mention this ticket's number.