Forum Discussion

derek_walker's avatar
derek_walker
Guide
10 years ago

Users Online Count Explosion!

We are seeing 1000's of anon sessions for a single ip address. http://whatismyipaddress.com/ip/178.34.160.200 . Most usersonline rows are blank but it appears it is someone in Russia (or proxying through a Russia ip) searching through our TKB's and Forums. He might also be someone looking for vulnerabilites in the search form. A few urls resemble 

.../t5/forums/searchpage/tab/tkb_<

 

Which get inserted into some hidden form fields without escaping the characters. 

 

<input value="SearchPage:tab/tkb_<:searchauthorfilter.form:" name="liaFormContentKey" type="hidden">

 

http://community.ubnt.com/t5/forums/usersonlinepage/show-anon/true/show-dup-users/true

 

Is there anything that we can/should do to de-dupe the anon sessions? Or, is there anything we can do to get a more accurate metric for users online? I don't really want to ban the IP address because it would not be hard for someone to open a new proxy and resume where they left off.

 

FaisalK Not sure if this is a security concern, but figured I would let you know. Ubnt has a Hacker One account setup so we will notify you if anything get submitted.

  • AndrewF's avatar
    AndrewF
    Khoros Oracle
    10 years ago

    We have blocked this IP at the HTTP server level. In practice many of these attacks and scans end after a single IP is banned, but if the attacker tries to evade we will take additional measures -- please let us know if you see any other suspicious IPs.

     

    Andrew

  • derek_walker's avatar
    derek_walker
    Guide
    10 years ago

    AndrewF FaisalK Thanks for handling the security issue.

     

    However, my real question was if there is anything we can do about the false user online reporting. Our shareholders look to this as a metric of success and we want to ensure that this number is accurate. It also helps us avoid the paranoid investors/customers that want to know "Why users online spiked to 15k this morning? Did I miss something? What are you not telling me?"

     

    So is there anything we (or you) can do other than monitor the site and block IP addresses?

    • luk's avatar
      luk
      Boss
      10 years ago

      derek_walker It seems that many times the user online counts are not very accurate (for example if you have Google Analytics installed on your site, you can compare the Lithium value to the "real time" value of GA...it's usually a HUGE discrepancy)...so a maybe more accurate count can be fetched directly via GA API...but yeah, it's definitely more work, but if this is critical for your company you can think about it...

    • FaisalK's avatar
      FaisalK
      Lithium Alumni (Retired)
      10 years ago

      Hi Derek,

       

      Sorry that your original point got lost in the shuffle.

       

      "Why users online spiked to 15k this morning? Did I miss something? What are you not telling me?"

       

      Have you tried reaching out to your TAM or created a support ticket to look into this?

       

      In general, there could be many reasons why this could have happened, including but not limited to, bot traffic, crawlers, security testing, etc. It could even be tied to legitimate activity such as overly ambitious monitoring, performance testing,  etc.

       

      -Faisal

  • FaisalK's avatar
    FaisalK
    Lithium Alumni (Retired)
    10 years ago

    This is a security concern.

     

    Please block this IP address immediately.