Long ago, in the misty annals of the early Internet, by simply placing a well-formed robots.txt file at the root of a website directory, you could ban unwanted indexing bots from crawling through a few dozen hand-stitched pages and consuming an entire month’s outgoing bandwidth allowance. The only DDOS was getting “Slashdotted”, and having that happen to your website was a big honor. Nowadays, however, our concerns are much more diverse in scope, and far riskier by nature. From email harvesting operations and spam generation factories, to denial-of-service and malware breeding farms, these zombie-staffed distributed botnets are spewing enormous rivers of malicious garbage upon our once pristine, networked shores. Meanwhile, the stakes are only getting higher, as all the top brands and levels of government alike begin to heavily rely on the wholesome appearance and reliable service of their websites to be intimately connected with consumers online. How might besieged web operators repel the gross onslaught of spam traffic, DDOS attacks, and other malicious behavior promulgated through our nets? In this session, Suzanne Aldrich of CloudFlare and Jessi Fischer of Pantheon will reconnoiter the Internet robot armies, and disseminate effective strategies for website fortification: * Diagnosing bot traffic spikes with logs and analytics * Best practices for obscuring emails and using nofollow links * Standard spam evasion methods and why they’re mostly flawed * Strengths and pitfalls of using external spam filtering services * CDNs, caching, and other performance optimization techniques for withstanding high traffic volume * Anti-DDOS and WAF protection After this session you’ll be armed with all the knowledge needed to defend any Drupal site from a bot assault, and live to tell the tale. Additional resources: Load Testing Drupal and WordPress with BlazeMeter https://pantheon.io/docs/guides/load-testing-with-blazemeter/

1. Robot Attack!
Repelling Bots, DDOS, and other Fiends
BADCamp 2015

2. https://pantheon.io
Jessi Fischer
Enterprise Onboarding Manager - Pantheon
Suzanne Aldrich
Solutions Engineer - CloudFlare
MEET YOUR GUIDES

3. https://pantheon.io
Surveying Robots
Detecting Attacks
Evading Spam
Withstanding High Traffic
Questions
AGENDA

4. https://pantheon.io
Spam - Unsolicited advertising posted on a blog or sent via email
Phishing - Attempted theft of data or takeover of accounts
Malware - Software designed to be malicious
Robot - Automated software designed to perform functions repeatedly
DDoS - Attempt to make a server or network resource unavailable to Internet users
WAF - Web Application Firewall
DNS - Domain name system answers queries with IPs
OSI - Open System Interconnection Model
Layer 3 & 4 - Network and Transport layers (IPv4 & IPv6, TCP, UDP)
Layer 7 - Application layer (Chrome, Firefox)
GLOSSARY

5. https://pantheon.io
Internet bot:
● Robot, WWW bot, bot, botnet, zombies
● Automated scanning of website
resources at high rate
● Good bots: Web spiders
○ Googlebot
○ MSNBot/Bingbot
○ Baidu
○ Yandex
○ Pingdom
Drupal’s robots.txt
https://api.drupal.org/api/drupal/robots.
txt/7
User-agent: *
Crawl-delay: 10
Disallow: /includes/
Disallow: /CHANGELOG.txt
Disallow: /cron.php
Disallow: /install.php
Disallow: /update.php
Disallow: /xmlrpc.php
HISTORY OF THE ROBOT

6. https://pantheon.io
Bad bots:
● Spambots - advertising links
● Email harvesters
● Downloaders & scrapers
● Referral & click fraud
● Rogue spiders
○ MegaIndex:
Mozilla/5.0 (compatible; MegaIndex.ru/2.0; +https://www.
megaindex.ru/?tab=linkAnalyze)
● Infectious agents
● Botnets & zombies
BAD BOTS

7. https://pantheon.io
Id Date Severit Type
Message
3161818 16/Jun 16:45 notice spambot
Blocked registration: email=supplyweqz@gmail.
com,ip=120.43.21.95
3161817 16/Jun 16:45 notice user
Login attempt failed for JulianHut.
3161794 16/Jun 16:44 notice user
Login attempt failed for Julianml.
DETECTING ATTACKS

8. https://pantheon.io
Common SPAM Defense Methods:
● CAPTCHA - Completely Automated Public
Turing test to tell Computers and
Humans Apart
● Timegate (Time Difference)
● Honeypot
● Content analysis
● Visitor reputation
Popular Drupal Modules:
CAPTCHA/reCAPTCHA - https://www.drupal.
org/project/captcha
https://www.drupal.org/project/recaptcha
Mollom - https://www.drupal.org/project/mollom
Honeypot - https://www.drupal.org/project/honeypot
Antispam - https://www.drupal.org/project/antispam
Spambot - https://www.drupal.org/project/spambot
CloudFlare - https://www.drupal.org/project/cloudflare
Spam prevention - https://groups.drupal.org/node/77093
EVADING SPAM

9. https://pantheon.io
Problems with CAPTCHA:
● Cookies prevent anonymous caching
○ High traffic sites require edge cache
● Usability
○ Inconvenient
○ Barrier
● Accessibility
○ Visual impairment
ANTI-SPAM STRATEGIC PITFALLS
Problems with External APIs:
● 3rd party dependency
● Availability & rate limiting
● CAPTCHA fallback
● Cost of service
● User Privacy

10. https://pantheon.io
● Poor performance + bots = downtime
● Server and log monitoring
● Fix site errors in module code and theme
templates
● Anonymous page caching
● Views query and rendered results caching
● Dedicated cacheserver - Redis
● Disable comments/cookies/statistics
● Setup CDN for serving assets
● Block IPs at firewall
● Withstand many Layer 7 attacks
WITHSTANDING HIGH TRAFFIC
$ curl -Ik http://www.example.
com/comment/reply/12345
...
X-Varnish: 3649165893
Age: 0
Via: 1.1 varnish
Connection: keep-alive
Vary: Cookie, Cookie

11. https://pantheon.io
Types of DDoS Attack:
• DNS Amplification - Layer 3
and 4
• DNS Flood - Layer 3 and 4
• SYN Flood - Layer 3 and 4
• HTTP Application Denial of
Service - Layer 7
DDOS PROTECTION

12. https://pantheon.io
D0000 - Block Large Requests to xmlrpc.php for Drupal CMS
D0002 - Block requests with odd array arguments
D0001 - Block Requests to xmlrpc.php for Drupal CMS
URIs:
/xmlrpc.php -- most common
/?q=node&destination=node
/blog/xmlrpc.php
/user/login/
HTTP Method:
POST -- most common
GET
10.223.224.238 - - [05/Feb/2015:23:34:47 +0000] "POST /xmlrpc.
php HTTP/1.1" 404 5377 "-" "Mozilla/4.0 (compatible: MSIE 7.0;
Windows NT 6.0)" 0.251 "5.189.129.224, 108.162.254.28,
10.183.251.3"
10.223.224.238 - - [05/Feb/2015:23:34:47 +0000] "GET /feed/
HTTP/1.1" 200 6354 "http://example.com/feed/" "SimplePie/1.3.1
(Feed Parser; http://simplepie.org; Allow like Gecko)
Build/20140407093003" 0.201 "54.216.178.194, 141.101.98.27,
10.183.251.3"
10.223.193.24 - - [05/Feb/2015:23:34:47 +0000] "POST /xmlrpc.
php HTTP/1.1" 404 5377 "-" "Mozilla/4.0 (compatible: MSIE 7.0;
Windows NT 6.0)" 0.233 "5.189.129.224, 108.162.254.28,
10.183.251.3"
CLOUDFLARE DRUPAL WAF RULES

13. https://pantheon.io
Frequency of WAF Triggers Over 30 Days Percentage of Triggers by WAF Rule
CLOUDFLARE DRUPAL WAF TRIGGERS

14. https://pantheon.io
Q&A