Recently I had an attack on this website, as I run a WordPress site this is not an isolated incident. However, in this instance it was a rather aggressive attack compared to the bandwidth I have available. The attacker in this case was saturating my connection with POST commands to wp-login.php as apposed to the usual attacker who send requests every few seconds, in an attempt I presume to not be noticed.
Knowing that this was a sustained attack I first turned to enabling Windows authentication to wp-login.php, this made things worse as the data sent from a HTTP 401 error to this page used more data than WordPress denying access.
Failing this, I blocked the IP address from IIS so it will return a 403 error, this brought the data sent back down to normal but still the attack continued.
As a last resort, I performed a lookup on the attacking IP via the WHOIS database, and discovered the attacking computer was on a hosted server in Malaysia:
% [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html % Information related to '220.127.116.11 - 18.104.22.168' inetnum: 22.214.171.124 - 126.96.36.199 netname: IPSERVERONE-MY descr: IPSERVERONE - Co-location - AIMS Data Center country: MY address: L7-13, Level 7, Brem Mall, address: Jalan Kepong, 52000, address: Kuala Lumpur e-mail: firstname.lastname@example.org abuse-mailbox: email@example.com phone: +60-3-625-95-625 fax-no: +60-3-625-95-629 e-mail: firstname.lastname@example.org % This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (WHOIS4)
The website dawhois.com was the first best match and reveled that the hosting service for this site was ipserverone.com, and in desperation to solve this I contacted the abuse email listed above.
I have often contact ISPs in this method when receiving an attack, but none have come to fruition, not even a response, this time I got an answer:
We are sorry to hear that, could you please verify now, is still got attack to your site?
Checking that the attack is still going on, I replied that is is still happening:
Seems that I’ve disabled an access few sites that contain suspicious codes.
Is the issue persist?
Checking again, it stopped! Guessing from the fact that the attack continued after changing responses from my server to 401 and 403, it was a bot running, but many thanks to Mohd and the people at ipserverone for stopping this attack and giving me back my bandwidth!