My copycat(er) is being attacked, I fear I might be next (HELP)

[msullens88]

I have placed hidden forms and analytical tracking on my landing pages so I can keep track of everyone that copies my LP's (Trust me I know who you are) and one of them seems to be under a DDoS Attack and as well as what I believe to be a single person clicking through a ton of times.

I am under the impression this person knows what they are doing and might be after my site shortly.

I have since killed all the tracking on this specific copied LP and redirected it to 4chan.com

After doing a little research I have found the DDoS and person to be coming from the same proxy server which seems to be on a dial-up connection in Wichita Kansas - IP Address: 207.200.116.6

Looking up the IP address found over 400 records on Google and this one page that has some information that I can not make any sense of.

The pestilence of Kroofulness has retu4rned! - rec.audio.opinion | Google Groups

Whoever this is they are hiding well, Any help will be greatly appreciated.

I would also suggest adding this IP to your personal hosting ban list to help protect yourself, it seems they have been using the same one for a while.

IP Address: 207.200.116.6

 

[ayzo]

[01:30] * Dns resolving 207.200.116.6
-
[01:30] * Dns resolved 207.200.116.6 to cache-ntc-aa02.proxy.aol.com

It's one of the aol proxies....

You should probably facepalm yourself.

 

[vladb2]

thats not a real DDOS if its from 1 IP. There is an apache add-on that if the same IP requests the page too many times within a given time... they are auto-blocked for 5 minutes. This addon is also effective against smarter DDOS attacks, because even most zombie pools require each computer to hit the page many times at once.

This apache add-on + static html page = very hard to DDOS your ass

 

[msullens88]

@ayzo I normally would take your advice and just facepalm myself, but I have reason to believe by the 20+ form submits (and a ton more just normal hits) I got with different data that its a single person using the proxy at that time and not just a bot or something.

I'm just looking for more information on if its possible to find out who is using the proxy. Not the fact that it is a proxy I get that.

 

[msullens88]

@vladb2 - Thanks for the information, I wonder how he got over 200 visits through in a 5 min period.. Hummm

But Like i said before, this is not my problem yet, I'll be keeping a close eye on it.

 

[jryan21]

If you start blocking AOL traffic you'll kill your conversion rates for grants, berriez and google money tree.

 

[msullens88]

@jryan21 - Thanks for the advice, I'll be sure to keep that in mind.

 

[ayzo]

@ayzo I normally would take your advice and just facepalm myself, but I have reason to believe by the 20+ form submits (and a ton more just normal hits) I got with different data that its a single person using the proxy at that time and not just a bot or something.

I'm just looking for more information on if its possible to find out who is using the proxy. Not the fact that it is a proxy I get that.

Well the reason for the facepalm is because it's an aol proxy

If you could "map" the aol network traffic it would look like this:

user1,user2,user3,user4,user5 ---- AOL PROXY ---- INTERNET

Basically, just about every AOL customer that uses the aol browser will first be sent through a proxy and then out to the internet, which is why you're getting a bunch of hits from the same ip (or group of ips). They are all different users, with different data, and chances that 99% of the data they submitted to those forms are real.

The problem is that because AOL forces them to go through a proxy, the data ends up looking fake or malicious.

 

[msullens88]

Good information, seems to add up.

Random that they got 5 form submits with same data within the same minute, but then again it could just be another retarded AOL user going back and forth going "What do I do?!?!"

I'm still going to monitor it and see if anything else fishy shows up, but I think you may have solved the case.

Thanks for all the help!

BTW if any of you have not seen it yet, StarTrek + IMAX = pwnage. Saw it tonight.

 

[Sonny Forelli]

do you have a thank you page telling the user what to expect after the form submit?

I've seen dummies run a lot of forms with either a blank page or a redirect page to the index page causing confusion for people assuming 'something broke' and thus submitting again.

 

[msullens88]

The form does have a thank you page, and I've been having it go the the second step on MY landing page (free traffic from people that copy and paste my LP) its a lower % so they don't notice btw, I know... classy. =]