I was sitting here struggling to come up with a name for this post because it is a very strange occurrence. Recently, one of my own sites was under attack, and not your traditional DOS attack. This attack was in the form of thousands and thousands of spam comments. Most people, would jump to conclusions and say use the Akismet or Anti-Spam plugins, however I was using Akismet. And it was still an issue.
Here’s how this went down. Akismet was catching thousands and thousands of spam comments and putting them in the spam folder, as it should. The issue was the amount of spam comments. I was getting spammed with about 5,000 spam comments a day that were going to the spam folder. This was after scaling it based on the number per minute.
Every couple of seconds a new spam comment came in and it was hammering my server. I was already using CloudFlare and I tried WordFence (which did nothing). I’m not a fan of comment captcha’s either, so I needed a way to isolate the attacks. I sat there for an hour writing down all the IP’s to block via CloudFlare, but the attacks kept coming. The issue was the IP addresses did not belong to the same range, which if they did would make blocking them simple.
The Solution
This led me to start digging some more. The IP Addresses all originated from three places.
ColoCrossing: AS36352
B2 Net Solutions (also ColoCrossing): AS55286
Enzu Inc: AS18974
The AS is kind of like an identifier of someone who owns a large amount of IP addresses. I could go into more detail but I am not going to, google it. Here is a helpful article on autonomous systems and how they relate to IP addresses to get you started.
In my research, I found out that these organizations are known as spam generators. These service do not care who is using their services as long as they are getting paid. The sheer number of varying IP addresses attacking my website was too large for me to go through and block each address individually. It was easier for me to block the entire service by its autonomous system number (ASN). Here is a cool list I found that includes a bunch of bad ASN’s that you can blcok.
Known Bad ASN’s That You Should Block
I am going to list a bunch of ASN’s that the OpenCart software community recommended to block.
- AS4134 ChinaNet
- AS4837 China Unicom Backbone
- AS4538 China Education and Research Network Center
- AS9808 Guangdong Mobile Com
- AS9394 China TieTong Telecommunications Corporation
- AS49120 Gorset Ltd
- AS44387 PE Radashevsky Sergiy Oleksandrovich
- AS47142 PP Andrey Kiselev
- AS15895 Kyivstar PJSC
- AS50915 S.C. Everhost S.R.L.
- AS9829 National Internet Backbone
- AS17974 PT Telekomunikasi Indonesia
- AS26347 Dream Network LLC
- AS43350 NFOrce Entertainment BV
- AS63008 Contina
- AS53264 Continuum Data Centers, LLC.
- AS36352 ColoCrossing
- AS16276 OVH SAS
- AS57858 Fiber Grid OU
- AS53889 Micfo
- AS62904 Eonix Corporation 1
- AS30693 Eonix Corporation 2
- AS55286 B2 Net Solutions Inc.
- AS18978 Enzu Inc
- AS15003 Nobis Tech Group
- AS29761 Quadranet
Blocking ASN’s: Impact on Users and How to Block Them Via CloudFlare
These ASN’s do not belong to any internet service providers (ISP’s). The IP addresses do not belong to individuals either. Therefore, there is no impact on user experience.
Additionally, blocking autonomous systems numbers (ASN’s), is relatively simple via CloudFlare. To block an ASN in CloudFlare:
- Go to Firewall
- IP Firewall
- Enter AS11111 (replace the numbers with the ASN you would like to block)
This is the most effective way to block spam because it is blocked at the CloudFlare level. The ASN is blocked before it hits the server. Therefore, no server resources are being wasted.
Dont forget AS20473 Choopa, LLC! There are MANY botnets running rampant on that provider!