Web based family history software

file Question Traffic Report - FYI

  • andrewg_oz
  • andrewg_oz's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
6 days 20 hours ago #1 by andrewg_oz
Traffic Report - FYI was created by andrewg_oz
This is a "heads up" for anyone running their own webtrees server (or anyone running any server, really).

I'm the "tech support" for my Dad's webtrees installation. Over the last week my Dad had been noticing a progressive deterioration in the performance of his webtrees. We tried a few simple things like adding AS numbers to the config.ini.php for any suspicious-looking IP addresses we could see in the logs.

I couldn't do a lot before the weekend, but by the time the weekend arrived things were quite dire. Normally the quad-core QNAP running webtrees has a 15-minute load average of about 0.7-0.8. By Saturday I was seeing peaks of 70-80! I operate a reverse proxy between the QNAP and the Internet and so I could easily monitor the individual requests. Where I would normally see a request every few seconds, they were now scrolling by at a rapid rate.

Doing an IP WHOIS lookup for what appeared to be the most frequently appearing IP addresses found them all to be originating from Ali Baba Cloud LLC. I Googled for 'ali baba cloud ip ranges' and blocked in ip-tables the 15 networks that turned up in one of the results and then a few more apparently related networks for good measure.

Everything quickly returned to normal.

Cheers,
Andrew

Please Log in or Create an account to join the conversation.

More
6 days 18 hours ago #2 by Lars1963
Replied by Lars1963 on topic Traffic Report - FYI
Using the actual BadBotBlocker.php might also help? github.com/fisharebest/webtrees/commit/0...458874846bace4d0a6ef  

Please Log in or Create an account to join the conversation.

  • andrewg_oz
  • andrewg_oz's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
5 days 17 hours ago #3 by andrewg_oz
Replied by andrewg_oz on topic Traffic Report - FYI

Using the actual BadBotBlocker.php might also help? github.com/fisharebest/webtrees/commit/0...458874846bace4d0a6ef
Thanks, that looks like  webtrees.net/admin/block/ which I was already using to block "AliBaba" and Microsoft's Bing bot, which had been filling the logs with truly bizarre search queries. It was just like Bing was submitting their "front page" queries directly to the webtrees search! Queries that have no business on a genealogy site - like "french beans" and "adp full form in computer".

I had tried to find an AS number related to "AliBaba Cloud", but didn't get anywhere. Dropping the packets before they even get to the QNAP is probably better, though.

Please Log in or Create an account to join the conversation.

  • bertkoor
  • bertkoor's Avatar
  • Online
  • Platinum Member
  • Platinum Member
  • Greetings from Utrecht, Holland
More
5 days 16 hours ago - 5 days 16 hours ago #4 by bertkoor
Replied by bertkoor on topic Traffic Report - FYI
From the log lines someone shared some weeks ago, according to whois.domaintools.com these two bots are hosted by "Alibaba cloud". If you want to block them, it's easy and explained in FAQ article block unwanted visitors . Just add a line block_asn to your config.ini.php. The offending ASN you want to block here is AS45102.
Code:
block_asn="AS45102 (Alibaba Cloud), AS99999 (AnotherZombieNest)"


block_asn is free text, webtrees matches on ASnnnnn.
stamboom.BertKoor.nl runs on webtrees v2.2.1
Last edit: 5 days 16 hours ago by bertkoor.

Please Log in or Create an account to join the conversation.

  • andrewg_oz
  • andrewg_oz's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
4 days 18 hours ago #5 by andrewg_oz
Replied by andrewg_oz on topic Traffic Report - FYI
Thanks for finding that AS number. I've added it to the config, but I will be keeping the packet filtering.

Please Log in or Create an account to join the conversation.

Powered by Kunena Forum