2

I run a site with about 700 registered users. On a typical day, there are 30-50 hits.

In the last three days, the traffic has increased insanely fast (according to Google Analytics). I got 7,287 hits today. My number of new registered users has not increased proportionally.

hits

It seems that the majority of them are from Russia, which is funny because I'm in the US and my site is English only.

enter image description here

Now, I've done some Googling to check out what's up with all these referral links in Google Analytics.

enter image description here

I've read that most of those are just Russian referral spam hits, in which someone has scraped my Google Analytics key from my HTML, and then they just hit Google Analytics thousands of times to annoy me without actually requesting anything from my server (which is fine, but I think it makes Google Analytics barely valuable at all anymore, because now my data is polluted, but that's besides the point...).

However, my Nginx logs show a significant increase in the amount of traffic during the last few days. The Russian referral spam hits account for only about half of the total number in Google Analytics. I honestly can't figure out why someone would just hit my site over and over again, it takes human interaction to get any meaningful content out of my site.

What can I do to protect myself from this illegitimate traffic? Is my only option to start blacklisting IP addresses?

winduptoy
  • 125
  • 4
  • 1
    Are you sure they are referral spam? The top referrers appear to be mostly social networking sites. Perhaps your site went viral in Russia for some reason? – Michael Hampton Feb 17 '15 at 05:59
  • Can you confirm spam? It may just be legitimate traffic, as Michael mentions. A [company has recently faced spam from another country](http://furbo.org/2015/01/22/fear-china/), and the load patterns were somewhat specific. Checkout the link to see how they answered the attacks---you might find ideas to address the situation, whether or not it is spam. – Eric Platon Feb 17 '15 at 06:42

2 Answers2

2

Looks like you just became quite popular. Someone must have placed a link to some of your articles.

  1. this is one of the largest russian professional communities
  2. this is one of the largest russian entertainment sites
  3. this is mobile subsite of p. 1.
  4. this is the most popular russian social network
drookie
  • 8,051
  • 1
  • 17
  • 27
1

Spoofing the "Referer" header is really easy, and I have seen many times scrapers and bots doing that. It would be great if you could sniff that TCP traffic and show us how these HTTP requests look like. Tcpdump can do the trick; It depends on your environment, but give it a try:

$ tcpdump -i eth0 -A -vvv -s 500 'tcp port 80 and ip[2:2] > 40 and tcp[tcpflags] & tcp-push != 0 and dst port 80'

This sniffs all the HTTP requests directed to you webserver, then you can grep the results looking for those russian referrers.

Cristian - ScrapeSentry.com
  • 11
  • 3