Loading ...
Sorry, an error occurred while loading the content.

Access will be denied if you use POST requests more than 15 times within 4 hours from now on

Expand Messages
  • Marc Weber
    ... The bot did at least 20 login attemps per second ! http://www.vim.org/account/register.php I ve added a minimal I m human test - that should at least
    Message 1 of 15 , Apr 30, 2013
    • 0 Attachment
      Excerpts from John Beckett's message of Wed May 01 04:29:16 +0200 2013:
      > 124 user accounts, including text fields intended to probe for
      > bugs that might be exploited to break in to the system.
      The bot did at least 20 login attemps per second !

      http://www.vim.org/account/register.php
      I've added a minimal "I'm human test" - that should at least protect against
      "random attacks" made by bots without human intelligence.
      And if there are humans running the attack, then we have lost anyway.

      So its pretty easy:

      create a new table.
      Log IP when $_POST is not empty

      If an IP is using POST more than 15 times in 4 hours assume its a bot
      and die.

      A typical session:
      - login (POST 1)
      - update 5 scriptsr (POST 2-5)

      Thus 7 post requests. If you forgett your password 5 times - then you're
      still fine.

      Yes, there might be false positives - eg many people behind
      firewalls try to update their scripts within 4 hours but honestly
      scripts are not updated *that* often. Another problem could be you
      typing the same password 15 times ..)

      If this causing problems, please report it. The die message also tells
      this.

      vim.org/search.php is not affected, $_GET is used the way it should.
      Neither should it affect google (which may also run some post requests,
      usually based on JS init scripts)

      I hope this makes www.vim.org a lot more "bot proof" now.

      The implementation can be found in the datab*.inc file.

      Maybe its not the right place, but it should work.

      There have been too many issues lately.

      Marc Weber

      --
      --
      You received this message from the "vim_dev" maillist.
      Do not top-post! Type your reply below the text you are replying to.
      For more information, visit http://www.vim.org/maillist.php

      ---
      You received this message because you are subscribed to the Google Groups "vim_dev" group.
      To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
      For more options, visit https://groups.google.com/groups/opt_out.
    • Marc Weber
      This still does not protect agains resource exhaustion (mysql users exceeded - which appened). There are modules for apache to prevent excessive site usage by
      Message 2 of 15 , Apr 30, 2013
      • 0 Attachment
        This still does not protect agains resource exhaustion (mysql users
        exceeded - which appened). There are modules for apache to prevent
        excessive site usage by bot like attacks. Maybe we should propose
        sourcreforge to set them up?

        Marc Weber

        --
        --
        You received this message from the "vim_dev" maillist.
        Do not top-post! Type your reply below the text you are replying to.
        For more information, visit http://www.vim.org/maillist.php

        ---
        You received this message because you are subscribed to the Google Groups "vim_dev" group.
        To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
        For more options, visit https://groups.google.com/groups/opt_out.
      • Marc Weber
        I ve introduced a total limit of 500 POST requests within 4h which is slightly more than POST requests happen within 24h on an average day (380 posts in 24h)
        Message 3 of 15 , Apr 30, 2013
        • 0 Attachment
          I've introduced a total limit of 500 POST requests within 4h which is
          slightly more than POST requests happen within 24h on an average day
          (380 posts in 24h)

          Thus if a bot uses multiple IPs, he should still fail soon
          (unfortunately everybody else, too) - I think its more importatnt to
          protect against attacks in these cases.. Because we don't want to delete
          that many scripts and user accounts.

          I hope vim.sf.net is much safer now. I don't have any additional ideas.
          So let me know whether you think these changes are appropriate.

          Marc Weber

          --
          --
          You received this message from the "vim_dev" maillist.
          Do not top-post! Type your reply below the text you are replying to.
          For more information, visit http://www.vim.org/maillist.php

          ---
          You received this message because you are subscribed to the Google Groups "vim_dev" group.
          To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
          For more options, visit https://groups.google.com/groups/opt_out.
        • Bram Moolenaar
          ... Thanks for doing this! I think we can be rather strict. If a human is doing a lot of work, we can ask him to try again in 4 hours. And send us a message
          Message 4 of 15 , May 1, 2013
          • 0 Attachment
            Marc Weber wrote:

            > I've introduced a total limit of 500 POST requests within 4h which is
            > slightly more than POST requests happen within 24h on an average day
            > (380 posts in 24h)
            >
            > Thus if a bot uses multiple IPs, he should still fail soon
            > (unfortunately everybody else, too) - I think its more importatnt to
            > protect against attacks in these cases.. Because we don't want to delete
            > that many scripts and user accounts.
            >
            > I hope vim.sf.net is much safer now. I don't have any additional ideas.
            > So let me know whether you think these changes are appropriate.

            Thanks for doing this!

            I think we can be rather strict. If a human is doing a lot of work, we
            can ask him to try again in 4 hours. And send us a message that this
            happened, so that we can tune the limit. Perhaps for specific cases.

            Please send me a diff of the changes you made (or the new files)
            privately. Otherwise a sync from my side might overwrite your changes.
            Cc John Beckett, he is also keeping an eye on things.


            --
            hundred-and-one symptoms of being an internet addict:
            255. You work for a newspaper and your editor asks you to write an
            article about Internet addiction...in the "first person."

            /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
            /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
            \\\ an exciting new programming language -- http://www.Zimbu.org ///
            \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

            --
            --
            You received this message from the "vim_dev" maillist.
            Do not top-post! Type your reply below the text you are replying to.
            For more information, visit http://www.vim.org/maillist.php

            ---
            You received this message because you are subscribed to the Google Groups "vim_dev" group.
            To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
            For more options, visit https://groups.google.com/groups/opt_out.
          • Christian Brabandt
            Hi Bram! ... I think it just happened: http://www.vim.org/scripts/script.php?script_id=4509 regards, Christian -- Es herrscht Chaos. Wir befinden uns auf einer
            Message 5 of 15 , May 7, 2013
            • 0 Attachment
              Hi Bram!

              On Mi, 01 Mai 2013, Bram Moolenaar wrote:

              > I think we can be rather strict. If a human is doing a lot of work, we
              > can ask him to try again in 4 hours. And send us a message that this
              > happened, so that we can tune the limit. Perhaps for specific cases.

              I think it just happened:
              http://www.vim.org/scripts/script.php?script_id=4509

              regards,
              Christian
              --
              Es herrscht Chaos. Wir befinden uns auf einer Drehscheibe, die
              Richtung in die Zukunft ist noch nicht gefunden. Vielleicht muß diese
              Menschheit untergehen, damit eine andere entstehen kann.
              -- Stanislav Lem

              --
              --
              You received this message from the "vim_dev" maillist.
              Do not top-post! Type your reply below the text you are replying to.
              For more information, visit http://www.vim.org/maillist.php

              ---
              You received this message because you are subscribed to the Google Groups "vim_dev" group.
              To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
              For more options, visit https://groups.google.com/groups/opt_out.
            • Marc Weber
              Thanks for reporting - looks like he finally suceeded - and didn t read the message .. Hi xingchao, (this mail also goes to vim_dev mailinglist) If you cannot
              Message 6 of 15 , May 7, 2013
              • 0 Attachment
                Thanks for reporting - looks like he finally suceeded - and didn't read
                the message ..

                Hi xingchao,

                (this mail also goes to vim_dev mailinglist)

                If you cannot upload, you should see a message instead.
                Due to attacks we've limited actions to 15 POST requests by IP.
                Another global limit does exist.

                Do you remember which one was hit? The message should have told you.
                Eventually we should allow more operations.

                In any case - do you have any idea why "why I can't upload" is shown
                that often :) ?

                Sincerly
                Marc Weber

                --
                --
                You received this message from the "vim_dev" maillist.
                Do not top-post! Type your reply below the text you are replying to.
                For more information, visit http://www.vim.org/maillist.php

                ---
                You received this message because you are subscribed to the Google Groups "vim_dev" group.
                To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
                For more options, visit https://groups.google.com/groups/opt_out.
              Your message has been successfully submitted and would be delivered to recipients shortly.