We are working through some of the IPs now. The host wants to enable “Mod_Security” to try to help stop some of the script malware that is hitting us. I know at one time CS said to not use it, but they do not have that in the server specs any longer. I found older threads where some say they have it enabled and others do not. Is there a standard on this yet? Should we or should we not have this enabled.
I guess if we do have it enabled would it really help with this sessions issue?
Probably a helpdesk question since the answer is more than likely version dependent.
We went ahead and enabled “mod_security”. So far it is working. We deleted the files in the “stored sessions” again a few hours ago but it is still growing at crazy rates. So it looks like we are back to the drawing board of trying to stop the “stored sessions” from growing so fast and slowing down the site in the process.
The size of that table is not showing your site. It is all the overhead of your site being accessed so much. Kind of like a denial of service attach.
[quote name='tbirnseth' timestamp='1414298176' post='195229']
The size of that table is not showing your site. It is all the overhead of your site being accessed so much. Kind of like a denial of service attach.
[/quote]
As we continue to dig in to this what you stated is what we are finding out. Yesterday our visits from these scripts or whatever chewed on 85% of the cpu and 45% of our memory on a dedicated server. A server that we have turned all of the marketing off on because of the problems. The stored sessions is just where we found the problem. Not to mention with the stored sessions that large it severely slowed down backup and optimization of the database. Right now our host optimized the database and they've blocked a few IP addresses where the most connections were coming from.
I am trying to put what I can here on the forum in case someone else runs in to it. So maybe they can see some of the things we are trying to stop. Of course I am open to other things that may have been tried to curve this type of attack.
Hi
We got our host to use the “BAD_BOT” in our htaccess, massive reduction in sessions, only my thoughts!
[quote name='BarryH' timestamp='1414348879' post='195252']
Hi
We got our host to use the “BAD_BOT” in our htaccess, massive reduction in sessions, only my thoughts!
[/quote]
Very interesting. I am going to see if I can figure out what that is now. Thanks!
Jim, your posts are appreciated. First place I would look is to your competitors. If this has been an ongoing issue, there’s not motive for others to consume your site. Remember, that it takes resources to do the attack as well so there needs to be a return on that effort/cost for it to have any value (even to a kid hacker) and if there’s a pattern, you could always add something to reverse the attack by ensuring that they not only have the cost of initiation, but also the overhead of gettng the requests returned to them. But that will also increas your load (but you might feel more proactive and less of a victim). 
Gotta love those kind of competitors! I would not be surprised if it was. Since many of the things these scripts or whatever are trying to put in the feedback contain links to other websites, I am guessing that is part of what they are trying to accomplish. Many of the others are trying different passwords in what looks like an attempt to set up an account or something. So far with the most recent changes it has slowed them down drastically. I had to run to the library with the kids so I haven't had a chance to research and/or try the “BAD_BOT” part that BarryH was talking about so I am off to check that part out now.
So to report back here too, with “mod_security” installed we appear to be getting a “well shucks” error on some of the products after editing them and trying to save. When we disable the mod_secuity we are able to save with no “well shucks” error. Right now we are trying to see if there is a “rule” that we can whitelist which will allow us to save products. The “well shucks” does not happen all the time, which is the strange part. It does happen consistently on particular products.
We also found with mod_security we are unable to add the first category to a new product we added.