My blog is getting hammered by the Russians

I have a little blog. On a good day it gets 400 page views of very loyal, dedicated readers. Yeah, it’s a niche blog, but it’s been running in happy obscurity since 2011.

Now I’m getting up to 800 hits a day from Russia alone. They don’t seem to be doing anything.; I’m not seeing an increase in referer spam. It’s just bursts of hits that repeat every hour or so.

Other than it annoys me, and messes with my Blogger analytics, I’m not seeing any point to dealing with this. I don’t see the Russian hits in Statcounter. I googled around to see what other people have said about this kind of thing, and I gotta say, I didn’t find anything useful. It varied between the blowhards and the paranoid hysterics.

So, has anyone any ideas? Even a link to an informative article that isn’t blowhard BS?

Why does it matter?

I’m concerned that there’s something going on that’s a threat I don’t understand or if there are steps I should take with Blogger but don’t know to do.

It may be your ISP’s problem.

You could always blacklist the IANA subnets (either from the ISP/server/router level), if that’s an option.

Its almost certainly hacking attempts. What CMS are you running? Wordpress? If I were you I’d check for attempts at brute force guessing the admin password. Then install yourself a brute force prevention timeout plugin for your CMS that bans those IP addresses.

And don’t take it personally, its just scripts that target random websites.

[a little off topic, but I’m curious]
What does a hacker gain by attacking a random blog?
If the OP has a blog about flower arranging, what does the hacker gain?

Hackers like to gain control of sites, and then use those sites to host malware. Often the malware isn’t even visible on the blog or site directly, just accessed via a specific URL. But exploits, or just plain social engineering attacks eventually lead to a download of the malware hosted. Or, for instance, a fake internet banking front end could be installed, and those appallingly bad fake bank emails asking you to reset you security details might direct the recipient to that site. The blog might continue on obliviously, but in the background someone could be harvesting bank details. And so it goes.

As Francis Vaughn says, the blackhats aren’t interested in the blog’s content. They’re looking for a webserver they can quietly hijack to secretly host and serve up THEIR content*, alongside the mundane stuff the blogger wants to do.

*“THEIR content” == spam, or malware, or phishing web pages, or data dumps for personal data stolen from victims. Anything a baddie can do with a web server and its associated backside capabilities, like databases.

I don’t remember much about blogger, but it may be possible to block country IPs. I already do that with sime countries that have shown shady activity and whose traffic does not interest me.

Huh. Never thought of that.

I imagine stolen data can be laundered umpteen ways, and hide in plain sight.

Thanks for the comments folks. Sadly, I can’t block a country from my site on Blogger. I guess I’ll double secure my site. It’s already got a completely random password, and that’s probably frustrating them to no end.

Are you getting 800 requests or 800 sessions? If the former, that could be 800 password attempts in a day. If the latter, it could be several thousand or million attempts. Presumably, Blogger has some built-in protection, so they’d be sticking to a number that doesn’t trigger Blogger’s safety measures, but it could still be pretty high.

But let’s figure a few million attempts per day, just to be safe.

If you have the 26 letters of the alphabet and are using both upper and lowercase, picking randomly, then with a one character password, there’s 52 possibilities. With two character password, there’s 2704 (52^2) possibilities. An 8 character password is 53,459,728,531,456. At a rate of 10 million password attempts a day, they’d have 50/50 odds of cracking it after 2672986 days (7323 years).

How many requests a server can handle (and, by being on Blogger, you aren’t being limited to a single server) is pretty variable, but we’ll go with a possible 3000 requests per second as an approximation of an average server, which would mean that you could potentially respond to 259,200,000 login attempts in a day. Even there, we’re still talking 282 years to get to 50/50 odds of cracking the password.

Upping from an 8 character password to a 9 character password multiplies the amount of time needed to crack it by 52.

Basically, random passwords are really strong. It’s when your password isn’t random (1111 / password / letmein) that you become vulnerable. Or, alternately, if someone breaks into your house and has the chance to look through the sticky notes by your computer.

I sense everybody quickly changing their password now …

Comments are the first thing I would secure. There are lots of programs out there dedicated to registering on various sites and posting spam. So be sure you’ve turned on all the “I’m not a bot” options you can in the comment registration process.

As well as what the others have said the hackers can use your compromised website to send spam, or they can do an encryption ransomware attack. Start encrypting the files on your webserver, demand bitcoins to decrypt it.

Had this happen to me once before with a joomla site that wasn’t patched correctly, luckily I had a backup from before the attack so just rolled back to that then patched and updated everything. These sorts of attacks tend to happen to people with their own Cpanel Linux hosted sites using Joomla / Wordpress or Drupal, where people forget to update them and apply latest security patches.

I’m leaning toward data mining.

I had a counter on my old personal site, and my occasional poking around in the statistics showed that I was getting a lot of random visits from Eastern European countries. Each “visit” just hit a single page (the page varied from hit to hit) and lasted no longer than one second. I always just chalked it up to search engine spiders.

Send a message to Donald Trump and ask that he get his Russian hacker friends to stop it!