Users Online Count Explosion!

Question

We are seeing 1000's of anon sessions for a single ip address. http://whatismyipaddress.com/ip/178.34.160.200 . Most usersonline rows are blank but it appears it is someone in Russia (or proxying through a Russia ip) searching through our TKB's and Forums. He might also be someone looking for vulnerabilites in the search form. A few urls resemble

.../t5/forums/searchpage/tab/tkb_<

Which get inserted into some hidden form fields without escaping the characters.

<input value="SearchPage:tab/tkb_<:searchauthorfilter.form:" name="liaFormContentKey" type="hidden">

http://community.ubnt.com/t5/forums/usersonlinepage/show-anon/true/show-dup-users/true

Is there anything that we can/should do to de-dupe the anon sessions? Or, is there anything we can do to get a more accurate metric for users online? I don't really want to ban the IP address because it would not be hard for someone to open a new proxy and resume where they left off.

FaisalK Not sure if this is a security concern, but figured I would let you know. Ubnt has a Hacker One account setup so we will notify you if anything get submitted.

andrewf · Answer

We have blocked this IP&nbsp;at the HTTP server level. In practice many of these attacks and scans end after a single IP is banned, but if the attacker tries to evade we will take additional measures -- please let us know if you see any other suspicious IPs.
&nbsp;
Andrew

derek_walker · Answer

AndrewF&nbsp;FaisalK&nbsp;Thanks for handling the security issue.&nbsp;However, my real question was if there is anything we can do about the false user online reporting. Our shareholders look to this as a metric of success and we want to ensure that this number is accurate. It also helps us avoid the paranoid investors/customers that want to know "Why users online spiked to 15k this morning? Did I miss something? What are you not telling me?"&nbsp;So is there anything we (or you) can do other than monitor the site and block IP addresses?

faisalk · Answer

This is a security concern.
&nbsp;
Please block this IP address immediately.

luk · Answer

derek_walker&nbsp;It seems that many times the user online counts are not very accurate (for example if you have Google Analytics installed on your site, you can compare the Lithium value to the "real time" value of GA...it's usually a HUGE discrepancy)...so a maybe more accurate count can be fetched directly via GA API...but yeah, it's definitely more work, but if this is critical for your company you can think about it...

faisalk · Answer

Hi Derek,
&nbsp;
Sorry that your original point got lost in the shuffle.
&nbsp;
"Why users online spiked to 15k this morning? Did I miss something? What are you not telling me?"
&nbsp;
Have you tried reaching out to your TAM or created a support ticket to look into this?
&nbsp;
In general, there could be many reasons why this could have happened, including but not limited to, bot traffic, crawlers, security testing, etc. It could even be tied to legitimate activity such as overly ambitious monitoring, performance testing,&nbsp; etc.
&nbsp;
-Faisal

Forum Discussion

Users Online Count Explosion!

Related Content

Users not receiving Atlas emails

/users/online vs. /users/online/count

Custom User Online Component

permissions for the user biography based on user roles

REST : users/online

Recent Discussions

API v1 docs gone since Atlas migration to Aurora

Does anyone know how to change the display title of Custom Fields in Aurora?

Can someone walk me through authenticating and using Postman with Aurora?

Seeking Advice on Restricting Access to a posts to those who have the permalink.

TinyMceEditor is undefined