[development] Possible DDoS attack on Drupal user creation

Syscrusher syscrusher at 4th.com
Wed Feb 8 16:11:16 UTC 2006 

Good morning!

I'm sorry if this is the wrong venue for this, but I am not sure where else
to post it.

As of this morning, I have good reason to suspect that one of my Drupal sites
is the victim of a zombie-based DDoS attack, and I felt I should warn the
Drupal development community that a new Drupal-specific bot may be out there in
the wild.

The site allows anyone to create a user account, with no approval needed but
of course with no special privileges (all it really gains them is the ability
to queue comments for approval, subscribe to node comments, and to customize
their timezone).

What happened is that last night a large number of new user accounts
were all created with garbage-looking and undeliverable Yahoo! addresses as
the email target, e.g., sdfuhgfdhghu at yahoo.com. My site is a rather narrowly-
focused site related to historical reenactment, and we typically average only
1 or 2 new users per day, and there have been 57 since midnight last night.
That's not a huge number, but it's *way* outside our normal statistical
range.

I initially thought this might be one script kiddie with a Perl bot, but I
checked my logs, and there were 57 requests since midnight spread over 21
different IPs. Only one of the IP addresses has a valid reverse DNS, and it
points to a dialup pool. In the Apache logs, all of the browser ID strings
are identical:

    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

which suggests either a bot emulating this browser, or a coordinated
attack by a couple dozen individuals. I consider the latter to be unlikely,
as the site is neither politically controversial nor commercial in nature,
so I doubt anyone would have enough motive to work hard enough to do an
attack by manual means.

I post this message here for three reasons:

1. I wanted to warn others that if there is a bot to attack my site, they may
   attack other Drupal sites in the near future, and

2. I wanted to see if anyone has a suggestion of a module -- including one that
   I might create -- that could block bogus user account requests like this
   but not legitimate ones. Will the "Captcha" module do what I need?

3. I wanted to find out if anyone else has seen similar behavior, to see if
   this is part of a larger pattern that may need to be addressed in
   user.module. For example, if this is commonplace, should "Captcha" become
   part of core?

The attacks aren't doing any real harm -- my server can easily cope with the
load, and I'll eventually just purge the accounts that are never activated.
They're a nuisance, but I still want to make this go away if I can.

I'll be glad to share more details upon request -- my site is not business-
related, so I have no reason to conceal logs or other pertinent data that could
help the Drupal development community guard against things like this.

Scott

-- 
-------------------------------------------------------------------------------
Syscrusher (Scott Courtney)          Drupal page:   http://drupal.org/user/9184
syscrusher at 4th dot com            Home page:     http://4th.com/

More information about the development mailing list