Are IP bans supposed to prevent search query spam? If so, it's not working

Question

I'm getting search query spam daily in my Q2A, mostly from chinese IPs, since the end of last month.

I don't understand the purpose of this but the spam doubled my eventlog size.

Sample

• ipaddress    params
• 180.153.236.101    query=大奖娱乐PT老虎机开户 Q8201930...start=20
• 180.153.236.109    query=大奖老虎机存款优惠 Q82019309....start=0
• 180.153.236.11    query=大奖娱乐AG捕鱼游戏送彩金www...start=10
• 180.153.236.117    query=大奖娱乐TTG老虎机注册送彩
• 180.153.236.125    query=趣拍娱乐HB老虎机开户送礼金...start=30
• 180.153.236.133    query=大奖娱乐赢钱技巧 Q82019309.com...start=0
• 180.153.236.157    query=大奖捕鱼送38元官网 Q82019309.c...start=30
• 180.153.236.181    query=大奖老虎机官方网址 Q82019309....start=10
• 180.153.236.19    query=趣拍娱乐GOS老虎机注册送礼
• 180.153.236.43    query=永利爆大奖娱乐城 Q82019309.com...start=10
• 180.153.236.59    query=大奖AG捕鱼游戏送彩金www.djyl1...start=30
• 42.120.160.97    query=大奖老虎机首存优惠 Q82019309....start=50
• 42.236.10.100    query=趣拍AG捕鱼游戏注册 www.qpyl18....start=0
• 42.236.10.102    query=大奖PT老虎机充送活动www.djyl1...start=30
• 42.236.10.103    query=大奖MG老虎机送礼金 Q82019309.comstart=20
• 42.236.10.105    query=大奖捕鱼是干什么的啊 Q820193...start=0
• 42.236.10.106    query=大奖老虎机注册就送钱 Q820193...start=60
• 42.236.10.107    query=大奖娱乐注册送现金 Q82019309....start=0
• 42.236.10.109    query=趣拍娱乐PT老虎机首存 www.qpyl...start=10
• 42.236.10.110    query=大奖MG老虎机首存活动www.djyl1...start=0
• 42.236.10.111    query=大奖娱乐TTG老虎机首存活动ww...start=10
• 42.236.10.112    query=永利爆大奖娱乐 Q82019309.com.comstart=0
• 42.236.10.113    query=大奖娱乐捕鱼游戏注册www.djyl...start=0
• 42.236.10.114    query=大奖娱乐GOS老虎机注册送彩
• 42.236.10.71    query=888大奖娱乐官网 Q82019309.com.comstart=0
• 42.236.10.72    query=大奖TTG老虎机开户送彩金www.d...start=30
• 42.236.10.73    query=大奖注册送4彩金 Q82019309.com.comstart=20
• 42.236.10.74    query=大奖娱乐GOS老虎机注册送礼
• 42.236.10.77    query=百度一下大奖娱乐 Q82019309.com...start=20
• 42.236.10.78    query=大奖游戏送体验金 Q82019309.com...start=10
• 42.236.10.79    query=大奖娱乐手机手工存款 Q820193...start=30
• 42.236.10.80    query=大奖游戏送体验金 Q82019309.com...start=20
• 42.236.10.84    query=大奖娱乐网页登录 Q82019309.com...start=30
• 42.236.99.130    query=在线至尊娱乐Q82019309.comstart=0
• 42.236.99.154    query=大奖娱乐送体验金 Q82019309.com...start=0
• 42.236.99.16    query=大奖HB老虎机充送活动www.djyl1...start=0
• 42.236.99.166    query=大奖老虎机是真的吗 Q82019309....start=30
• 42.236.99.178    query=大奖GOS老虎机送彩金www.djyl18....start=10
• 42.236.99.194    query=大奖PT老虎机开户送彩金 Q8201...start=10
• 42.236.99.2    query=大奖PT老虎机送彩金www.djyl18.comstart=0
• 42.236.99.206    query=趣拍娱乐HB老虎机送礼金 www.q...start=10
• 42.236.99.218    query=大奖MG老虎机注册送礼金 Q8201...start=50
• 42.236.99.23    query=大奖娱乐游戏试玩 Q82019309.com...start=0
• 42.236.99.230    query=大奖TTG老虎机开户送礼金www.d...start=40
• 42.236.99.242    query=大奖注册送58元 Q82019309.com.comstart=20
• 42.236.99.30    query=趣拍娱乐AG捕鱼游戏开户送礼...start=0
• 42.236.99.37    query=趣拍MG老虎机首存活动 www.qpyl...start=0
• 42.236.99.44    query=大奖娱乐线上赌场 Q82019309.com...start=10
• 42.236.99.51    query=Novomatic澳门赌场怎么玩Q8201930...start=10
• 42.236.99.58    query=趣拍娱乐TTG老虎机 www.qpyl18.comstart=30
• 42.236.99.65    query=趣拍娱乐HB老虎机开户送礼金...start=0
• 42.236.99.72    query=趣拍娱乐老虎机送彩金 www.qpy...start=0
• 42.236.99.79    query=永利爆大奖娱乐城 Q82019309.com...start=20
• 42.236.99.86    query=趣拍娱乐老虎机开户送礼金 w...start=30
• 42.236.99.9    query=大奖PT老虎机开户www.djyl18.comstart=0

More details

• The sample above is from today and yesterday.
• All legitimate search queries removed.
• All the listed IPs are within the blocked range which was done a few days before.
• Repeated IPs were also removed. The total was 143.

Testing

I tried using my website with a blocked IP via proxy.

Things I can do:

• View any page
• Login
• Make searches
• Access admin panel

Things I can't do:

• Post a question, answer, or comment
• Create a new account
• Pick best answer
• Upvote or downvote

Answer 1

are they accessing any pages after this query? I assume all blocked IP will not be able to access any questions or answer. I dont think your site will be showing any output for their search query. If they are able to access any QA then let us know, that is bug in Q2A.

If this kind of attacks are more then it will consume your server resources(RAM, CPU) and slow down server. This will have impact on your real users, they may see site loading slow. Many time hackers are only interested to bring down site, if they are not able to hack.

If you see this kind of issue again and again then I recommend you to use cloudflare.com like services. They know how to protect from DDoS attack. They will take care of such attacks at DNS level, even before it reaches your site.

Let us know how your are able to fix this.

Comments

I added the heading "Testing" in the question. Pages are accessible with blocked IPs.

---

Oh, then let me check this. After IP ban user should not access any pages.

---

Just checked this, user can access questions from banned IP but can not post anything. I feel we should completely block site for banned IP users.

@Scott, @pupi1985, what do you think?

Answer 2

please do not block this will reduce your server your can block on .htacces or on the config files

or fileban    

Comments

not sure what you would like to say.....IP ban from admin panel is easier.....also blocking entire site will help to reduce server load.

---

the problme  with cpu he can stop and ban the ip from the sys better
that's what i test

---

https://github.com/mariusv/nginx-badbot-blocker/tree/master/VERSION_2

Answer 3

The point of IP bans is to prevent spam/abuse more widely than banning user accounts does.

Simply viewing some pages doesn't really count as "abuse" in my view, however I can see the issue with searches as they can be "resource intensive" if many are made at once.

At the moment your best bet is to block those IPs at the server level. But usually spammers have many IPs and get around bans.