Bandwidth madness, malice, theft, piracy
• Working On My Website
Back in June my bandwidth usage suddenly jumped from 6 – 7 Gig a month to over 30 Gig. My logs weren’t showing increased traffic, leaving me more than a bit baffled.
I have few images and they are all small. While hot linking couldn’t account for the bandwidth jump I decided to block hot linking.
Before the bandwidth jump I’d seen a number of spurious referrals, mostly coming from subdomains of reallyconfused.com, which hosts a number of bogus blogs that are really traffic builders for porn sites. There were also false referrals from mundane commercial sites like a roofing company and one from a site that does link to mine but couldn’t be generating such heavy traffic. The latter started showing at least five times a minute. They were all ‘going’ to one weblog entry which I promptly deleted.
July began with a normal enough load. But Friday morning I found “bandwidth exceeded” when I tried looking at my site. Over 30 Gig had been consumed over night.
My host provides four stats packages. I usually only look at AWStats. A view of Webalizer showed good-sized chunks of bandwidth being drained by a few IP addresses. WhoIs showed no active sites but did reveal that they addresses were all registered to the same company (with no contact info). At JaguarPC's tech support folks suggestion I blocked them. Later I went to Mark Pilgrim’s site to get his list of abusive domains so I could block those as well.
The sales folks at my host returned this a.m. and my purchase of additional bandwidth brought my site back up.
I have no idea what anyone could gain from doing this to my web pages? Replicating content? My sexuality weblog is only modestly popular as weblogs go. Aimless malice, bring my site down because they could?
My web pages are just a hobby. I’d greatly appreciate any insights more experienced and able webmasters can offer.
More trouble:Bandwidth thieves return.
Comments
My best suggestion would be to check not the refering url, but the browser used by this person as he/she/it grabbed the page. 20+ gb overnight requires a really fast connection - or, as you describe, a few fast connections. I’d guess the ip’s probally belong to a university, where 100 mbps ethernet is common. I’ve seen similar attacks occur when a small bunch of mis-configured systems are taken over, then used in tandem to attack a new target. The goal is to get the server to reboot, overload, etc - to cause some known effect on , allowing the targeted site to be taken over. In other words, sounds like your site (or some other site hosted on the same server) was targeted for a takeover. By the way, sorry if this sounds only semi-coherent - it’s late. :P
Posted by: Brian | October 16, 2003 12:20 AM
Brian:
I’m not sure what you mean by checking the browser.
The last time I never saw anything in my regular referral logs, i.e., nothing lists as a visit.
What I saw was in Webalizer that a set of IP addresses were each chewing up about 5% of bandwidth. Looking up the IP addresses showed them all to be owned by two companies without contact information.
The idea that it was a takeover attempt at least gives me a possible notion of one reason it was done. Since all it did was cause my webhost to make my domain unavailble I thought that someone was simply offended by some of my sexual or athestical content and wanted me offline.
Posted by: Richard Evans Lee | October 16, 2003 06:42 AM
I had this happen to me, or it may have happened. I am not for sure but my site went down overnight and I exceeded my 10gb/mo for the first time in nearly a year. I am hoping to get it back up soon but am fearful of the ramifications of my sites ranking in search engines. I hope it doesn’t effect me.
Posted by: hadthis happen to me | March 28, 2006 01:59 AM
Search engines don’t instantly cast you out when your site goes down.
When bandwidth theft or some other problem has taken my site offline Googlebot and the other search engine spiders continue to check and my indexed pages haven’t been diminished.
You do want to check your logs to learn who sucked your site dry so you can block them in your .htaccess.
Posted by: Richard Evans Lee | March 28, 2006 02:09 AM