Beware of the peaks!

For much of the past month I have been working my way around sites and making sure the sites are updating correctly. In some cases they have not been doing this without additional input. I have not got to the bottom of why, some of it is related to the Divi template. I spent a very tortuous 2 days seeking support to find out why. It would have been more productive watching paint dry. 

However I digress, I looked at around 70 of the sites I am hosting. I had to make changes to them to get the last version of WordPress to manage the updates. After I have done this the sites should in theory look after themselves. 

In the dashboard of most sites is a Google Analytics summary of the last 30 days of activity on your site. I noted the image below which has a strange peak in it on one of the sites. 

This is not normal

Then I found another one

And another one

And another one

Unravelling the thread

I found five in around 70 sites, so it was not everywhere. But what is it? I chose one site and decided to check Google Analytics to see what it recorded.  The peak in most cases occurred over a 5 minute period when allegedly around 350+ people from around the world decided to visit your website at 9am in the morning. And I do mean from around the world, not just in the UK. Any country in the image below that is a shade of blue, means people (allegedly) came from that country. 

The image on the left shows the top 31 countries and how many computers in each country.  Click on the image to see a larger version.  Not listed here, but I did check, looking at Russia countrywide, the visits did not come from one computer, but came from many across Russia.

What is going on?

Given the attack which is still going on some 4 weeks after I was notified on another site, I am very conscious of how long that took to sort out. I checked in with the hosting company to ask about these and what they thought they were. I did not get a straight answer, other than any attack will be handled by special measures in the hosting and the site will continue to work despite this.

It is unlikely that these sites were affected in any way, the visits in this case were no different to UK based visitors. The only difference is they came from everywhere in a very short period of time, apparently altogether or in quick succession.

Speculation

A few years ago I witnessed an attack on one of my sites while with another hosting company. I documented it at the time in this site. The site in this case had a protection mechanism built in that if there were too many visitors arriving at once, or trying to log in, they delayed any further activity from that IP address. As soon as one was blocked another one started. When that was blocked another one started, and they skipped all around the world in a few minutes.

The site was not taken down, but this is basically known as a DDoS or Distributed Denial of Service attack. The expectation being that if enough computers hit your site it will consume the server resources and your site will grind to a halt.

 

Click on the image to see a larger version

BOT Network

It is highly likely that I was witnessing a Bot network which is a set of compromised servers from around the world controlled by one central resource and they were testing it. When I last came across this I had all of the IP addresses of the computers, and could do a geo location search and also identify the owners of the computers (if they were a server for example). In many cases they were corporate servers owned by respectable companies that probably had no idea that there were additional processes running off of their computers. 

The system might be targeted at some point on a corporate server and financial demands made to turn it off. 

Things for you to think about

If you see a massive peak in your statistics that you cannot account for, let me know ASAP. I will look into it. If you have one of these it means your statistics for that period are no longer valid. So do not use them in any promotional documentation. 

You may have seen in the past messages like We checked your website and it was not getting many visitors pay us ££££ and we will increase the number of visitors to your site”  Well this is one way of doing it. It will not however generate any more business because the visitors are not real.  

I can selectively turn off countries from accessing your website and take some other measures with the hosting company if you see anything like this. 

However it should not really impact your website, or your existing visitors. If you are not sure about something; drop me a line. 

Wingrove-Services
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

You can adjust all of your cookie settings by navigating the tabs on the left hand side.

My privacy policy can be located here: Wingrove Media Privacy Policy (opens in a new window)

My Cookies Policy can be found here: Wingrove Media Cookies Policy (opens in a new window)