A week ago I noticed a high CPU load on my web server and found that 4 CPUs were busy executing tasks created by my WebSub server implementation phubb.
Spam info
Upon further investigation I found that there were ~1500 remote IP addresses sending ~3500 ping requests per minute to my server. Each request spawned a background process, leading to the high server load.
The source IPs were split geographically across a couple dozen of countries, the top 5 being:
| 59 | IR, Iran, Islamic Republic of |
| 64 | RO, Romania |
| 311 | GB, United Kingdom |
| 123 | UA, Ukraine |
| 1000 | US, United States |
The feed URLs for which update pings were sent to my server were e.g. http://romareis.nl/atom320756.xml and many more domains.
When opening the URLs listed inside the feed with a browser, they redirected to bt-fr-cl.com and some subpath. This seems to be a tracking service that counts link clicks, which might give an explanation for the spam attack: Get links to those URLs visible to many eyes and have people click on them, to get ad revenue or even getting paid per click.
Mitigation
I added a whitelist to phubb and now only allow pings and subscriptions for cweiske.de.
Fuck you, spammers. I wish you a slow and painful death.
