JohnNiang's Blog

JohnNiang's Blog

被“恶意评论”骚扰的全过程

2019.12.06

所有日志都是从 Nginxaccess.log 中提取的。其中的 IP 信息为攻击者的代理 IP,且取出了 CloudflareIP

收到新评论通知邮件

当我打开邮箱后提示有 5 封邮件未读,邮件时间间歇性的。一开始以为只是良性测试,不过没过多久就出现了大量的重复评论,同时也收到大量的重复邮件。

image.png

邮件的内容大致如下:

您的博客有新的评论!
johnniang, 您好!

有访客在《ARTS-w002》留言:


YYY:YYY


你可以点击查看完整内容

发送频率如下:

序号时间
1Dec 6, 2019 7:08 PM
2Dec 6, 2019 7:09 PM
3Dec 6, 2019 7:16 PM
4Dec 6, 2019 7:17 PM
5Dec 6, 2019 7:18 PM

对方产生邪恶的念头

该访客试探性的评论我的博客,发现我的博客不需要审核就能够成功评论,接着就有了邪恶的念头......

但是评论接口是限制了连续快速请求的,该攻击者一开始并不知道评论的具体间隔时间,然后不断地试探该 rate limit(如果仔细阅读过源码就会发现,默认的 rate limit 时间就是 5s)。

对方实施攻击计划

该攻击者迅速编写了 Python 脚本,准备攻击该接口。

[06/Dec/2019:11:39:29 +0000] "POST /api/content/posts/comments HTTP/1.1" 400 279 "-" "python-requests/2.22.0" "161.117.195.20"
[06/Dec/2019:11:39:29 +0000] "POST /api/content/posts/comments HTTP/1.1" 400 279 "-" "python-requests/2.22.0" "161.117.195.20"
[06/Dec/2019:11:39:30 +0000] "POST /api/content/posts/comments HTTP/1.1" 400 279 "-" "python-requests/2.22.0" "161.117.195.20"
[06/Dec/2019:11:39:49 +0000] "POST /api/content/posts/comments HTTP/1.1" 200 337 "-" "python-requests/2.22.0" "161.117.195.20"
[06/Dec/2019:11:39:50 +0000] "POST /api/content/posts/comments HTTP/1.1" 400 279 "-" "python-requests/2.22.0" "161.117.195.20"
[06/Dec/2019:11:39:50 +0000] "POST /api/content/posts/comments HTTP/1.1" 400 279 "-" "python-requests/2.22.0" "161.117.195.20"
[06/Dec/2019:11:39:51 +0000] "POST /api/content/posts/comments HTTP/1.1" 400 279 "-" "python-requests/2.22.0" "161.117.195.20"
[06/Dec/2019:11:39:51 +0000] "POST /api/content/posts/comments HTTP/1.1" 400 279 "-" "python-requests/2.22.0" "161.117.195.20"

从日志中可以看出,该访客的脚本还是没有猜出精确的间隔时间,仍然出现了 400 的错误(Frequnt Access)。但攻击者仍不放弃,继续在浏览器上试图寻找评论的 rate limit

[06/Dec/2019:11:40:18 +0000] "POST /api/content/posts/comments HTTP/1.1" 200 428 "https://johnniang.me/archives/arts-2" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:11:40:26 +0000] "POST /api/content/posts/comments HTTP/1.1" 200 428 "https://johnniang.me/archives/arts-2" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:11:40:31 +0000] "POST /api/content/posts/comments HTTP/1.1" 200 428 "https://johnniang.me/archives/arts-2" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"

估计是浏览器点起来不太舒服,于是又给 Python 穿上马甲(伪装 User-Agent)继续试探:

[06/Dec/2019:11:41:58 +0000] "POST /api/content/posts/comments HTTP/1.1" 200 428 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:11:41:58 +0000] "POST /api/content/posts/comments HTTP/1.1" 400 279 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:11:41:59 +0000] "POST /api/content/posts/comments HTTP/1.1" 400 279 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:11:42:11 +0000] "POST /api/content/posts/comments HTTP/1.1" 200 428 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:11:42:12 +0000] "POST /api/content/posts/comments HTTP/1.1" 400 279 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:11:42:59 +0000] "POST /api/content/posts/comments HTTP/1.1" 200 428 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:11:43:09 +0000] "POST /api/content/posts/comments HTTP/1.1" 200 428 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:11:43:10 +0000] "POST /api/content/posts/comments HTTP/1.1" 400 279 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"

从攻击的规律来看,一直在评论我的一篇文章,为了不给我其他访客造成影响,我只能被迫开启评论审核功能了。

最终,该攻击者终于找到了评论接口的 rate limit,于是间隔 5s 就发送一个 POST 请求:

[06/Dec/2019:11:47:54 +0000] "POST /api/content/posts/comments HTTP/1.1" 200 427 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:11:48:00 +0000] "POST /api/content/posts/comments HTTP/1.1" 200 427 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:11:48:05 +0000] "POST /api/content/posts/comments HTTP/1.1" 200 427 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:11:48:11 +0000] "POST /api/content/posts/comments HTTP/1.1" 200 427 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:11:48:16 +0000] "POST /api/content/posts/comments HTTP/1.1" 200 427 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:11:48:22 +0000] "POST /api/content/posts/comments HTTP/1.1" 200 427 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:11:48:27 +0000] "POST /api/content/posts/comments HTTP/1.1" 200 427 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:11:48:33 +0000] "POST /api/content/posts/comments HTTP/1.1" 200 427 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"

尝试禁用该篇文章的评论

此后邮箱的状况如下图:

image.png

几乎所有的恶意评论都是指向的一篇文章,我尝试禁用该篇文章的评论功能(减少正常访客的影响)。

对方继续被追击

但是好景不长,攻击者发现了请求出现了大量的 400 错误,于是就通过电脑的浏览器访问我的博客的某一篇文章,评论之后发现评论功能已经被禁用:

[06/Dec/2019:11:55:27 +0000] "POST /api/content/posts/comments HTTP/1.1" 400 95 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:11:55:30 +0000] "GET /archives/arts-2 HTTP/1.1" 200 19072 "https://johnniang.me/archives" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:11:55:32 +0000] "POST /api/content/posts/comments HTTP/1.1" 400 95 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"

于是攻击者继续访问我的其他文章,发现其他文章的评论功能是正常的。

[06/Dec/2019:11:55:35 +0000] "GET /archives HTTP/1.1" 200 13396 "https://johnniang.me/archives/arts-2" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:11:55:36 +0000] "GET /archives/a1074-reversing-linked-list HTTP/1.1" 200 15191 "https://johnniang.me/archives" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:11:55:37 +0000] "GET /api/content/options/comment HTTP/1.1" 200 106 "https://johnniang.me/archives/a1074-reversing-linked-list" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:11:55:37 +0000] "GET /api/content/posts/37/comments/top_view?page=0&sort=&size=5&total=0 HTTP/1.1" 200 1034 "https://johnniang.me/archives/a1074-reversing-linked-list" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:11:55:38 +0000] "POST /api/content/posts/comments HTTP/1.1" 400 95 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:11:57:16 +0000] "POST /api/content/posts/comments HTTP/1.1" 200 427 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:11:57:22 +0000] "POST /api/content/posts/comments HTTP/1.1" 404 95 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:11:57:27 +0000] "POST /api/content/posts/comments HTTP/1.1" 200 427 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:11:57:33 +0000] "POST /api/content/posts/comments HTTP/1.1" 200 427 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:11:57:39 +0000] "POST /api/content/posts/comments HTTP/1.1" 200 427 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:11:57:44 +0000] "POST /api/content/posts/comments HTTP/1.1" 200 427 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:11:57:50 +0000] "POST /api/content/posts/comments HTTP/1.1" 200 427 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"

于是攻击者的武器升级了,开始乱抢扫射,遍历文章的 ID (该 ID 是从 1 开始的自增属性)并发送评论请求。我的邮箱就这么被狂轰滥炸(轻微):

image.png

被迫关闭评论的 API

最后只能被迫关闭评论接口这个 API 了。同时也导致正常访客无法正常发送评论(攻击者的目的也达到了)。

对方终于放弃

在得到大量的 403 错误之后,对方终于放弃了。

[06/Dec/2019:12:00:18 +0000] "POST /api/content/posts/comments HTTP/1.1" 404 95 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:12:00:24 +0000] "POST /api/content/posts/comments HTTP/1.1" 400 95 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:12:00:31 +0000] "POST /api/content/posts/comments HTTP/1.1" 200 427 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:12:00:37 +0000] "POST /api/content/posts/comments HTTP/1.1" 403 99 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"
[06/Dec/2019:12:00:42 +0000] "POST /api/content/posts/comments HTTP/1.1" 403 99 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36" "161.117.195.20"

不足

接口的限制不够灵活,仍然能够被有效地攻击。需要一个有效的限制策略,比如限制频率为 5s、1min、30min、1hour、3hour、6hour、12hours、24hours 等等。

record halo poc