BingBot Attack….

websites/

YESTERDAY

I received 37000+ bingbot index requests to my server causing the system load to increase to 44, sending my server into heavy swap, and causing all of my client sites to become unresponsive. I was able to fix this immediately by blocking the IP address of each of the offending servers that were indexing my host.

eg.

iptables -I INPUT -s 1.2.3.4 -j DROP

HOWEVER…

It wasn’t bingbot at all…   Instead it was someone… trying to make it look like bingbot was causing a denial of service (DOS) attack on my wordpress server. Not very nice. Here is the evidence to support that claim.

GENUINE BINGBOT LOG ENTRY

157.55.35.113 - - [10/Mar/2013:04:44:57 +0000] "GET /landscaping-supplies/ HTTP/1.1" 200 9166 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

GENUINE BINGBOT TRACEROUTE

traceroute 157.55.35.113
traceroute to 157.55.35.113 (157.55.35.113), 30 hops max, 40 byte packets using UDP
1 home.gateway.home.gateway (192.168.1.254) 1.391 ms 1.932 ms 1.903 ms
2 lns20.adl2.on.ii.net (203.16.215.197) 22.662 ms 25.718 ms 25.157 ms
3 te3-3.cor3.adl2.on.ii.net (150.101.134.29) 25.162 ms 26.908 ms 26.742 ms
4 xe-0-0-0.cr1.adl6.on.ii.net (150.101.225.77) 27.270 ms 28.282 ms 27.485 ms
5 ae4.br1.syd7.on.ii.net (150.101.33.34) 47.068 ms 47.206 ms 47.333 ms
6 te0-2-0-3.br2.sjc2.on.ii.net (203.16.213.158) 203.258 ms 204.773 ms 203.673 ms
7 * pao-76e-3.ntwk.msn.net (198.32.176.152) 206.768 ms *
8 ge-6-3-0-58.pao-64cb-1a.ntwk.msn.net (207.46.47.239) 199.107 ms 198.552 ms 199.322 ms
9 204.152.140.170 (204.152.140.170) 223.817 ms 224.039 ms 225.044 ms
10 xe-7-0-1-0.by2-96c-1a.ntwk.msn.net (207.46.40.62) 203.022 ms 203.577 ms 200.485 ms
11 ge-5-2-0-0.co2-64c-1a.ntwk.msn.net (207.46.40.84) 220.923 ms 229.031 ms 221.517 ms
12 xe-0-0-0-0.co2-96c-2a.ntwk.msn.net (207.46.43.67) 219.645 ms 219.879 ms 219.864 ms

You can see that when tracing the route for the IP as shown in the log entry, the trace enters into several domains that have an msn.net domain.
Clearly this server is owned by microsoft.

FAKE BINGBOT LOG ENTRY

74.86.145.42 - - [07/Apr/2013:19:22:38 +0000] "POST /wp-login.php HTTP/1.1" 200 3370 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

FAKE BINGBOT TRACEROUTE

traceroute 74.86.145.42
traceroute to 74.86.145.42 (74.86.145.42), 30 hops max, 40 byte packets using UDP
1  home.gateway.home.gateway (192.168.1.254)  1.373 ms   1.456 ms   1.077 ms
2  lns20.adl2.on.ii.net (203.16.215.197)  22.482 ms   23.382 ms   23.645 ms
3  te3-3.cor3.adl2.on.ii.net (150.101.134.29)  24.251 ms   25.401 ms   24.834 ms
4  xe-0-0-0.cr1.adl6.on.ii.net (150.101.225.77)  26.724 ms   27.018 ms   26.909 ms
5  ae4.br1.syd7.on.ii.net (150.101.33.34)  47.198 ms   47.435 ms   46.771 ms
6  te0-2-0-3.br2.sjc2.on.ii.net (203.16.213.158)  202.843 ms   202.739 ms   203.064 ms
7  be1.br1.sjc2.on.ii.net (150.101.33.56)  227.724 ms   227.808 ms   227.960 ms
8  te1-7.bbr01.eq01.sjc01.networklayer.com (206.223.116.176)  202.079 ms   200.939 ms   200.248 ms
9  ae7.bbr02.eq01.sjc02.networklayer.com (173.192.18.165)  224.057 ms   223.967 ms   224.104 ms
10  ae0.bbr02.cs01.lax01.networklayer.com (173.192.18.151)  207.395 ms   207.538 ms   207.656 ms
11  ae7.bbr01.cs01.lax01.networklayer.com (173.192.18.166)  199.078 ms   197.992 ms   198.360 ms
12  ae19.bbr01.eq01.dal03.networklayer.com (173.192.18.140)  227.909 ms   227.778 ms   228.264 ms
13  ae0.dar02.sr01.dal01.networklayer.com (173.192.18.253)  240.665 ms   239.878 ms   236.061 ms
14  po2.fcr03.sr04.dal01.networklayer.com (66.228.118.190)  234.903 ms po1.fcr03.sr04.dal01.networklayer.com (66.228.118.186)  237.913 ms po2.fcr03.sr04.dal01.networklayer.com (66.228.118.190)  235.221 ms

 

notice none of the final hosts don’t have any .msn domain names…

 WHY WOULD SOMEONE DO THIS ?

These fake domains can be traced back to many geographical locations, suggesting that the people behind the attacks are likely to be funded by a company that has interests in hurting Microsoft. The servers they are using will be costing them money, so they either have a huge grudge against Microsoft and want to hurt them… or they’re getting paid to do it. Either way its a huge hassle to webmasters and hosting companies everywhere.   It may also be a case of hackers trying to “dictionary attack” my server in order to take control over it, and simply using Microsoft Bingbot as a convenient cover.   I think that is the most likely scenario.

IS MY SERVER AFFECTED

You can easily check to see if you’ve been attacked by this malicious bot by running the following command over your system logs.

grep -i "bingbot" access_log | grep -i wp-login.php | more

PERMANENT SOLUTION ?

I’m thinking I’ll have to write a script that looks at the logs periodically and when it identifies a fake bingbot attack it will automatically ban that IP… Otherwise find a way to prevent any GET or POST access to the wp-login.php script from any host with a browser string that includes bing.com. I’ll post the script here once its complete.

Matthew Aldous - Adelaide SEO
0420 833 220
contact@matthewaldous.net
9-5 weekdays (CST)
Wordpress Template Developed by Matthew Aldous