Giving malicious crawlers and scripts a hard time

Question

My webserver has been up for < 25 hours and has already been crawled for various default pages, just to name one /administrator/index.php.

I understand that this is very common and it's not really an issue for me, as I have secured the server in a decent manner.

For the following idea, let's assume I don't care about the resulting traffic.

What if I were to create a number of the most requested files, usually representing administrator interfaces or other attack vectors of a common website.

The file (e.g. /administrator/index.php) could look like the following:

<!DOCTYPE html>
<html>
  <head>
    <meta charset="UTF-8">
    <title>/administrator/index.php</title>
  </head>

  <body>
    content ^1
  </body>
</html> 

But for the actual body content, I just ram a couple of GB with random strings in there.

For example dd if=/dev/urandom bs=10M count=400 | base64 > /tmp/content and then wrap the above HTML tags around the file.

What would typical crawlers do on such an event?

Answer 1

You're hurting yourself.

The "attacker"/crawler... probably doesn't pay for their traffic or processing power (ie. they use a botnet, hijacked servers or at least are on a connection that doesn't make them pay for traffic), but you will be billed for traffic and CPU/storage/memory, or your server's hoster has a "fair usage" clause, under which your server's connection will be throttled or cut off if you serve Gigabytes of data on the short term, or your storage bandwidth will be reduced, or your CPU usage limited.

Also, why should anyone be so stupid to download Gigabytes of data when they're just looking for a specific page? Either, they're just looking for existence of that page, in which case the page's size won't matter, or they will definitely set both a timeout and a maximum size – no use waiting seconds for a server to complete a response if you've got hundreds of other servers to scan, and especially not when greylisting is a well-known technology to slow down attackers.

Answer 2

Consider that serving anything other than HTTP 404 page for /administrator/index.php may get your server in the lists of potential targets, which means even more scans in the future. Since crackers who pay for such lists don't need to scan millions of IPs themselves, they can concentrate on you with much more sophisticated attacks than checking for the default admin page.

Unless your server is set up with the purpose of attracting malicious activity, looking like a potential victim will do you no good.

Answer 3

As already said, its probably not worth it, but it is a very interesting topic to think about. There was a very good talk on that topic at DEF CON 21 called "Making Problems for Script Kiddies and Scanner Monkeys" which you can find here: https://www.youtube.com/watch?v=I3pNLB3Cq24

Several ideas are presented, and some are very simple and effective like sending certain random HTTP response codes, which in the do not affect the end user, but significantly slow down scanners. The talk is worth a look :)

Edit: This is brief summary of the talk for those who do not have time to watch it: Browsers interpret many HTTP responses the same way, independent of their response code. That is of course not the case for all response codes (like 302 redirects), but for example if your browser gets a 404 "not found" code, it will render the page the same way if it was a 200 "OK" code. But scanners/crawlers are different. They mostly depend on the returned response code. For example if they get a 404 response code, they conclude that the file does not exist, but if they get a 200 response code, they conclude that the file exist and will do some stuff with it (scan it, report it to the user, or something else).

But what if you would set your web server to only send 200 codes (even if the resource does not exist)? Normal users probably will not notice it, but scanners will get confused because all resources they try to access (for example by brute force) will be reported as existing. Or what if you return only 404 responses? Most scanners will think that none of the resources they are trying to access are available.

The talk addresses that and tests various response codes and various scanners, and most of them can get easily confused that way.

Edit2: Another idea I just got. Instead of sending 10Gb of data as you said to those who you think are scanners, why not just send a HTTP response with a Content-Length header with a value of 10000000000, but add only couple of bytes of data in the HTTP response body? Most clients will wait for the rest of the response, till the connection times out. That would massively slow down scanners. But again, it's probably not worth it, and you would have to be sure to do that only to those who you detect as scanners.

Answer 4

Forget the gigabytes. Use minutes or hours of delay. Many web servers have modules that introduce artificial delays (aka tarpits). It occupies a thread/process on your server, but it comforts a few other servers on the Internet who would have been probed during the time. Of course other bots and other threads of this bot continue their work, so the annoyance is minor.

Answer 5

This is a topic near and dear to my heart, I've battled bots etc for ages. My conclusion is that your best strategy always, though not very gratifying, is to simply absorb the traffic, that is, detect that it is a bot, and then neutralize any further action on its part, without giving any programmatically obvious indication that you have done so (obvious would be: send a large file in response to an html page request; serve a page telling them they are bad and not allowed - a mistake I made for ages, not realizing that it's software, not a person). Programmatically non obvious means that to automated bot spidering software, the response looks normal, and does not raise red flags internally.

To understand what Programmatically non obvious pages look like, take some time examining for example an seo constructed spam website that you get to in a google search. Those pages are designed to work around google bot filters, that is, they do not trigger internal google spidering red flags, which is why they were offered as a SERP result to you in your search. Bad Bots are not very complicated (speed/efficiency is more critical for bot activities) in terms of programming sophistication, that is, their ability to 'read' the page or response tends to be quite basic, and it's not very hard to give them something that looks like a normal response.

Some of the responses here point to a problem that until you've personally experienced it, is easy to not understand the severity of, and that's underestimating the resources, and the possible vindictiveness, of bot masters. If you engage in the type of tricks contemplated here, only a few things will happen:

1. you use server resources for no reason and no gain

2. you aggravate the bot operators, who can then add you to lists that are distributed globally that basically are databases of sites to target heavily, usually because they are good targets, but they can just as easily add your site to this list. This has happened to me before, and it took me months to program around the attacks because while they resemble DDOS, they aren't actually that, they are simply various bot software operators using those master lists.

I've at some points tried the send large file to violators, but it's not just a waste of time, it's generally counterproductive.

There's also some fundamental misperceptions of how bot software works, it's often quite simple, and designed for rapid action, so the odds are quite good that as soon as a size limit is hit, it just stops.

To clear up some common misconceptions about bots and how they work, let's construct a simple one:

wget --spider -t 1 --read-timeout=5 -U "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0" [target url]

this is the initial url database builder bot component. It's only requesting the HEAD, that is, checking to see if the file exists. This will generate a server response code. As some people here indicated, correctly, one excellent strategy is to simply use this step to send them a 404, once their bot has been detected. The bot is software, not a person, so it will merely shrug its virtual shoulders and go, fine, page doesn't exist, next url. This is a very good strategy, and the one least likely to raise red flag alerts. It's also telling the server that it's firefox on windows 10, or it could be anything else they chose to enter in there, but fake lists of useragents that are switched or rotate are common features of decently designed bad bots.

However, serving the 404 still takes some server resources, particularly if your 404 page is constructed by a cms. If you just use the default server 404, that is light, but ugly for real users who might have also hit a 404.

A 301 is just going to send the request elsewhere, whatever you do, do not send it to a known anti spam/bot website, they know those as well or better than you. Just send it somewhere that doesn't exist.

However, bots do not in general respect 301s with any consistency, sometimes they do, sometimes they don't, depends on their programming.

So there's some decisions on how to handle a bot at the spidering stage. A 404 is a quite good solution, though make sure to actually test the real server response codes so that you know the response sent is a real 404, not just a redirect to a 404 page, which most bots won't realize was a failed test.

Now we can grab the file:

wget -t 1 -Nc --read-timeout=5 -U "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0" [target url]

Note again, we're timing it out again, which terminates the big file idea, and makes that a total waste of your server resources, and sending a fake useragent.

Obviously, bots will generally be written to be significantly more efficient than sending wget requests, or curl, but the ease of working around most ideas here should be obvious since I'm writing my bot using wget and built in options, for any decent bot software, this of course will be far more sophisticated, or at least, more sophisticated, and easier to use.

Any self respecting bot author of course will take the time to google threads like this one to see what people are currently doing, and simply add in spider/downloader protections to handle those ideas, which is why you don't use them. Bot authors are often serious and competent professionals, whose work focuses on successful bot activity, this is their work, so it's worth respecting them a bit to avoid aggravating them, which is like jay walking in front a policeman, it's just a pointless provocation.

For the downloading phase, you can again use the fact of the detection to simply serve them fake pages with no content, or anything else that will have very little load on the server. Whatever you do, you don't want to use a lot of resources to give them fake content.

There's a lot of fairly silly ideas as well floating around the internet, which generally show more the lack of experience of the people floating them, for example, spending time blocking IP addresses. Most bots are run from random IP addresses, might be on a bot net, might be datacenters, might be AWS temp sites/IPs set up then discarded, whatever it is, there are few less productive ways to block bots that by blocking IPs. This will become even more so when IPv6 becomes standard, with its ability to do random reassignments of public IP addresses based on timers or schedules or device configurations.

Analyzing IP data can be useful to let you know what you are dealing with, for example, maybe most come from romania, or china, and that tells you something, but they can, and do, switch from one to another, and from one datacenter/botnet to another, so IP analysis is more of a good backend tool to let you see what type of bot issue you're dealing with.

It's always a good strategy to respect the intelligence of the spidering tool (aka, bots) software authors, and to not assume they are stupid, or to antagonize the users of that software needlessly, just do your business, handle the bot and then let it move on to the next site without registering issues on yours.

Also, it's important to understand that there's no such thing as bots per se, what there are are usually single purpose bots. A 'bot' per se is a piece of software that in almost all cases automatically requests urls in its database, it may also as part of its function create that database of urls, or it may use commercially available databases. Some bots scan automatically the entire IP ranges of the internet, they are just looking for things, others are targeted, and, as with search bots, follow links. Note that if you have not blocked all admin type pages/directories in robots.txt, you can't tell which bot is ok and which isn't, so that's the first step you take. You don't need the whole file path, just the start of it that makes it unique as a path, like: /admin

1. search bots, legitimate
2. seo bots, usually pretending to be legitimate. Blocking useragents in robots.txt then analyzing log files for subsequent requests can show you which are real and which scum.
3. contact page autosend/fill bots
4. blog autopost bots
5. forum signup/post bots
6. blackhat bots searching for common easily exploitable application urls, for often insecure and/or non updated tools like: wordpress, phpmyadmin, drupal, etc. These can usually be detected in stats by seeing what requests certain urls that generally are not linked to.
7. site uptime bots, see #2 for how to check if real. Basically, if you didn't sign up for the service, it's gray or blackhat.
8. experimental bots, new search engines, web services, sometimes ok, sometimes badly written, usually not malicious but worth examining.
9. indexing bots, for example, could be selling indexes of sites to various other bot operators.

Then there are non bot type things like DDOS attackers, which use zombie net pc's usually, or hijacked servers (see #6, this is one reason they will spider - to find sites running software with known security issues, or zero days. You can actually discover usually when a security issue appears in the blackhat world by simply looking for requests for certain common software urls). Hijacked servers are a premium product in the underworld because they tend to have access to much more bandwidth and cpu/ram than a regular personal pc device.

This is not of course an exhaustive list, just a sample of various bots and the kind of thing they look for.

Note that some search bots may act like bad bots if configured badly, again, you can give directives in robots.txt and see if they obey them, if they don't, you can block them, if they don't respect the blocks, you have a variety of choices.

The reason there's such heavy bot activity out there is that most users are simply totally and utterly unequipped to be a webmaster for their site, they are basically sitting ducks, and use badly written software with bad security, or use bad programming that fails to protect against common attack vectors like sql injection, so there's a significant benefit/reward to the constant bot scanning activity. Obviously you can mitigate a bit by always updating all your software you use, or, better yet, eliminate unnecessary and very insecure tools like phpmyadmin in the first place to remove the entire attack surface. Or at least password protect the folder containing its files.

I had a client who had the terrible idea of running their own IIS webserver, which was at the time so radically insecure that, as in the OP case, the second I put it online, I saw instant bot probes for common IIS access points, even though there had never been a link to the IP. I told my client the next morning that he had to shut down the IIS instance and give up, since he was never going to be able to maintain secure local systems, luckily for me, he did.

I use grep, sed, awk for most of my analysis, though I'm sure there must be gui tools to do some of the stuff, no idea, never needed it.

You're not examining 10s of thousands of accesses in your logfiles, by the way, you're searching for the patterns, using tools that are made for that job (like awk/sed/grep), then seeing if you can detect patterns that can be solved with programming responses. There's also firewall tools that can be programmed to block requests that fit certain rules, but those are harder to configure correctly.

Answer 6

I use a gzipped 5 gigabyte HTML file consisting of numerous various recursive open tags with no corresponding closing tags. The gzipped file is only 20 megabytes. Then I use the following PHP code to feed it to the client using HTTP compression so it inflates to its original volume at the client's end:

set_time_limit( 0 );
$payload = '5G-html.gzip';
header( "HTTP/1.1 200 GO AWAY", TRUE, 200 );

if( !function_exists( "exit_handler" ) )
    {
        function exit_handler()
        {
            global $payload;
            error_log( "[spamcheck] Finished sending $payload to malicious client" );
        }
    }

register_shutdown_function( 'exit_handler' );
error_log( "[spamcheck] Begin sending $payload to malicious client" );
header( 'Content-Type: text/html' );
header( 'Content-Encoding: gzip' );
header( 'Content-Length: ' . filesize( $payload ) );

if (ob_get_level()) { ob_end_clean(); }
   readfile( $payload );

The 20 megabyte file:

rw-r--r-- 1 www-data www-data  20M Sep 25 11:32 5G-html.gzip

Here's the Apache log of a guestbook spammer hitting my script. Check out the request size, 3.7 of the 20 megabytes were sent (inflating to ~925 megabytes received by the client):

(REDACTED) - - [23/Mar/2022:15:36:48 -0500] "GET /contact/ HTTP/1.0" 200 3730993 "(REDACTED)" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"

It definitely has an effect on the spammy bots. Since I implemented this system, the volume of guestbook-spamming bot hits has decreased from hundreds per day down to maybe five or ten per day. I like to think that it crashes their scripts with out-of-memory errors.

Answer 7

You're hurting yourself if you try and antagonise the attacker. They have infinite resources whilst yours are finite. If you ship enough data to make all of their botnet exhaust the ISP limits then I suppose you have won. But this is not possible whilst your resources are finite.

What you can possibly do is tarpit their collectors until they run out of usable sockets, but if you were to do this from your web server it is likely that you will run out of memory as Apache HTTPd/nginx/varnish are reasonably heavy memory-wise, especially Apache with a few modules loaded.

What you could possibly do is use a firewall to direct the traffic to something like a thin proxy that tarpits certain URLs but all others go to the real server. This will take a lot of work for minimal gain.

Answer 8

Project Honeypot does this already. Perhaps you should join Project Honeypot. If you want to "give them a hard time", the 404 does that already.

As already stated countless times -- they have more resources available than you do, so -- it is a war of attrition that you will lose, in my opinion.